Equifax had 'admin' as login and password in Argentina

  • Published
VerazImage source, Equifax
Image caption,

Equifax's latest security breach involves its Argentinian operation

The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations.

Cyber-crime blogger Brian Krebs, external said that an online employee tool used in the country could be accessed by typing "admin" as both a login and password.

He added that this gave access to records that included thousands of customers' national identity numbers.

Last week, the firm revealed a separate attack affecting millions in the US.

After being notified of the latest breach, Equifax temporarily shut the affected website.

"We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cyber-security event that occurred in the United States last week," an Equifax spokeswoman told the BBC.

"We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.

"We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region."

The discovery came less than a week after Equifax revealed that a separate breach meant about 143 million US consumers and an undisclosed number of British and Canadian residents might have had personal details exposed.

The firm took six weeks to make the discovery public after first learning of a problem.

On Tuesday, 36 US senators called for a federal investigation into how three company executives came to sell nearly $2m (£1.5m) worth of shares in the company in the interim.

Equifax is also facing dozens of legal claims over the matter.

Image source, EPA
Image caption,

Equifax has yet to say how many UK citizens may have been affected or what data they may have had compromised

Mr Krebs wrote that the Argentine matter involved Equifax's local business Veraz.

Specifically, a web application - referred to as Ayuda, the Spanish for "help" - appears to have been weakly guarded.

"[It] was wide open, protected by perhaps the most easy-to-guess password combination ever: admin/admin," wrote Mr Krebs.

The discovery was made by the US cyber-security firm Hold Security, which Mr Krebs advises.

Its researchers explored the portal and within found a list of more 100 Argentina-based employees, the blogger disclosed.

Using this list they were able to uncover the workers' company usernames and passwords, which turned out to be matching words in each instance.

Each example amounted to either solely the worker's last name or a combination of their surname and their first initial, which made them fairly easy to guess anyway, Mr Krebs added.

'Extraordinary'

"But wait, it gets worse," he blogged.

"From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports.

"The site also lists each person's DNI [documento nacional de identidad]- the Argentinian equivalent of the social security number - again, in plain text."

All told, there were more than 14,000 such records, Mr Krebs said, concluding that the firm had been "sloppy".

Unlike social security numbers in the US, DNIs are publically available in Argentina.

But one UK-based cyber-security expert agreed the case raised questions about how Equifax protects the data it holds.

"This kind of security vulnerability is extraordinary as even the most basic of checks should reveal this," Prof Alan Woodward from the University of Surrey told the BBC.

"It's outrageous that any organisation that holds such sensitive personal data can build a portal with this kind of basic security vulnerability.

"It simply shouldn't happen and responding that they have now fixed the issue is not the point: it puts a huge question mark over whether Equifax have been applying the appropriate resources to online security elsewhere."

Related internet links

The BBC is not responsible for the content of external sites.