Pixel Envy

Written by Nick Heer.

Equifax’s Argentinian Affiliate Poorly Secured a Decade’s Worth of Customer Disputes

Brian Krebs:

Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

As reports like these keep coming in, please keep three things in mind:

  1. The extremely private data that Equifax retains in bulk is used to permit or deny access to credit for nearly a billion people around the world.

  2. Equifax is a for-profit corporation, not a branch or agency of any government. Its ratings have become a de facto standard based on its market share, but Equifax’s methodology is by no means a standard or transparent.

  3. In the United States and many other countries, there are few laws governing how this private data may be stored, and fewer still providing frameworks for holding companies like Equifax and its management accountable for their mistakes.