Jane Lytvynenko couldn’t believe what she was seeing. The Buzzfeed journalist was staring at the lawsuit against Equifax, the agency whose 2017 data breach led to the publication of 147 million people’s personal information. She had just noticed a detail that would set alarm bells ringing for any cybersecurity worker.
On the server in question, which stored the users’ confidential information, the credentials were alarmingly insecure: Username: admin. Password: admin. The company’s negligent password policy led to the leak that made it famous all over the world.
As far as we can tell, Equifax made three serious mistakes:
1.- Credentials. Choosing a username and password without even a minimal security policy to prevent possible attacks, vulnerabilities or unauthorized access.
2.- Open servers. The lawsuit states that the server where the data in question was stored had no encryption measures whatsoever. All that was needed to access it was to know its location.
3.- Deficient encryption When the company chose to encrypt this server, it saved the password in a file inside the same storage. This goes against every credential retention and storage policy for a company of this size.
With all of these factors, the resulting user outrage was a foregone conclusion. But it wasn’t the users who decided to take legal action against Equifax; it was a total of 373 shareholders who had invested in the company between February 25, 2016 and September 15, 2017, not long before the data breach took place and was made public. This shareholders filed a class-action suit that is currently being fought in court.
According to the claimants, their shares lost value due to “ multiple false or misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws”. The court that allowed the lawsuit also states that “Equifax’s cybersecurity was dangerously deficient” since “the company relied upon a single individual to manually implement its patching process across its entire network”.
The problem with a bad password_
This case brings to light the dangers faced by any company that uses a deficient password policy. This kind of policy needs to meet, at the very least, the following requisites in order to keep credentials safe:
- Generally speaking, passwords should never be short. The more letters, the more difficult they are to break, so a good password should never have fewer than 10 characters.
- Types of characters. An ideal password must contain alternating letters and numbers. To help remember the numbers, they can substitute certain letters. Some letters must also be in uppercase.
- Sentences or compound words. The ideal password is a string of alphanumeric characters with no connection; but if they are connected, they shouldn’t form a single word, but rather a whole phrase, or at least a combination of at least two words.
- Up-to-date. It is impossible for any company to be completely sure that their passwords will never be exposed. This means they must be changed continually, especially when there is staff turnover.
- A password must be in possession of as few people as possible. It must never be given to an employee who is only going to use it from time to time.
In any case, as mentioned above, it is impossible for any company to be totally sure that their passwords will never be breached, especially if their protection depends on employees, who tend to be a weak point in the security chain. This is why any organization that want secure them mustn’t rely solely on its employees. The vital thing in these cases is for companies to be aware of the fact that, even if they follow a good password policy, their protection must be tackled not only from a human stand-point, but a technological one too, with a solution that matches the company’s cybersecurity maturity levels. Failing this, they risk suffering a reputational and economic disaster like that experienced by Equifax.