In an absolutely disturbing and ridiculous turn of events new findings have surfaced in the Equifax data breach. Apparently, Equifax's IT department used the following for both their username and password: "admin". That's right, you read that correctly. They used not only the same word for both their username and password, but they used perhaps the most notorious word other than the word "password" for credentials that were supposed to keep our collective personal information safe.
That this is a GROSS case of negligence, doesn't even begin to describe the ineptitude that follows because that's not where the story ends. Really? Yup. Not only the username and password were weak, they also failed to use encrypted servers for our personal information, so things like our names, addresses, social security numbers, secret passphrases, etc. were all stored on unecrypted servers that were PUBLIC-FACING!!!
What does unencrypted mean? It means that the data stored on the server wasn't disguised so that if someone was able to gain access they wouldn't be able to read the data because it would be gibberish. Encryption in this case is typically done using a type of Hash that disguises the real data with false data in and around it, to unecrypt that data you would need the key which is virtually impossible to break depending on the degree of encryption.
What does public-facing mean? It means that this server was accessible via the internet [instead of on an intranet only accessible within the company], anyone could find it and access it, especially with an incredibly weak username and password like "admin". We can't even begin to understand who in their right mind thought this was ok or even acceptable. It doesn't even make sense as a cost-saving measure, because any decent IT person would have the common sense not to use the same word for the username and password, let alone a common no-no like "admin".
Having seen these recent revelations gives us great pause in the efficacy of other organizations practices and methods for safe-keeping our personal information. Be careful with the information you give, and take any measures you can to secure your data, use VPNs, use Two-Factor Authentication, don't use the same passwords for multiple logins, or at the very least keep passwords you use for financial/sensitive accounts/information distinct and separate. Read the fine print of Terms of Agreement. It might be a pain, but it might just protect you from the horrible costs of your identity being stolen.
Add a Comment