Should you trust credit monitoring company Equifax to keep your personal data safe? The answer to that question may be getting clearer. Not only did the firm suffer one of the largest data breaches in history — 143 million people’s names, social security numbers, home addresses and more hacked,— but experts keep managing to poke holes in the company’s security.
The latest comes from Argentina, where Equifax reportedly used the word “admin” as both the username and password for an employee web portal designed to protect both employees and customers who submitted credit disputes. (It doesn’t take Edward Snowden to know that’s a bad idea.)
According to cybersecurity expert Brian Krebs — perhaps best known for his role in revealing that resulted in the theft of around 40 million credit card numbers — the Argentinian site was secured so poorly that anyone could theoretically impersonate an employee by simply reading their username and password off the site, or even add themselves as a new “employee” to the database.
Perhaps worse, they would have been able to read some 14,000 credit dispute complaints from ordinary Argentinian citizens, which were stored in plain text instead of being encrypted. After being contacted by Krebs about the vulnerability, the company took the portal down.
Equifax wouldn’t fact-check specific details for us, but provided this statement:
We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cybersecurity event that occurred in the United States last week. We immediately acted to remediate the situation, which affected a limited amount of public information strictly related to consumers who contacted our customer service center and the employees who managed those interactions. We have no evidence at this time that any consumers, customers, or information in our commercial and credit databases were negatively affected, and we will continue to test and improve all security measures in the region.
Other recent reported Equifax screw-ups include: A tool to check if you’ve been hacked, and a credit-monitoring site that .
On Monday,that Equifax answer detailed questions about how, precisely, Equifax was hacked, how long the company was aware, and to shed light on three Equifax executives who sold stock after the hack was discovered but before it was made public.