Equifax has become a giant dumpster fire

The credit reporting agency has yet another security blunder on its hands.
Author:
Publish date:
Image placeholder title

It's not been a week since Equifax revealed the details of 143 million American consumers had been compromised in a data breach, and the dumpster fire continues.

The credit reporting agency, which holds some of your most precious personal data (despite never having gained your consent to hold this information) has stumbled from shambolic mess to shambolic mess since disclosing the breach last Friday.

This latest revelation might just take the cake, however, with cybersecurity expert Brian Krebs revealing on his blog a rather gigantic security flaw in Equifax's Argentinian operations.

A Wisconsin-based security firm examining Equifax's South American operations found an online portal designed for use by employees in Argentina, which could be accessed in the following way:

Username: admin

Password: admin

Krebs, who revealed the 2013 Target data breach, says that using this password, hackers could eventually gain access to the personal details of some 14,000 people who made complaints to Equifax – including the Argentinian equivalent of their social security number.

Now this doesn't affect American consumers in any way, but it serves to highlight the astonishing ease with which Equifax, which holds highly sensitive information including SSNs, credit card numbers, names and addresses, could be compromised.

Equifax told Cnet that it had learned of a "potential vulnerability in an internal portal in Argentina" and acted immediately to "remediate the situation," saying there's no evidence consumers or customers were affected.

It's been a bad week for Equifax

As Cnet explains, Equifax has seriously fumbled the response to its American hack, first by failing to disclose it for six weeks, and then by creating a tool to check whether you've been affected by the breach that produced seemingly random results.

It then encouraged people to sign up for a free year of its TrustedID protection service, which featured small print that very much made it seem like anyone who signed up would be waiving their right to sue Equifax for the data breach.

Equifax eventually clarified this week that nobody who joins it is signing away any rights to legal action.

And finally, in the wake of the breach, consumers concerned about their identities being stolen were encouraged to freeze or set up fraud alerts on their credit reports held by Equifax, Experian and TransUnion.

But ZDNet reports that Equifax's own fraud alert page is also vulnerable to hacking, with security experts noting it can be easily "spoofed" to allow hackers to siphon off even more personal information.

Like we said, dumpster fire.

The FTC has just released new guidance on whether you should get a credit freeze or fraud alert in the wake of the Equifax breach, which you can find here.

Next Up

Related