12
Sep 17

Ayuda! (Help!) Equifax Has My Data!

Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. But the official list of victim countries may not yet be complete: According to information obtained by KrebsOnSecurity, Equifax can safely add Argentina — if not also other Latin American nations where it does business — to the list as well.

equihaxEquifax is one of the world’s three-largest consumer credit reporting bureaus, and a big part of what it does is maintain records on consumers that businesses can use to learn how risky it might be to loan someone money or to extend them new lines of credit. On the flip side, Equifax is somewhat answerable to those consumers, who have a legal right to dispute any information in their credit report which may be inaccurate.

Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

We’ll speak about this Equifax Argentina employee portal — known as Veraz or “truthful” in Spanish — in the past tense because the credit bureau took the whole thing offline shortly after being contacted by KrebsOnSecurity this afternoon. The specific Veraz application being described in this post was dubbed Ayuda or “help” in Spanish on internal documentation.

The landing page for the internal administration page of Equifax’s Veraz portal. Click to enlarge.

Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The “list of users” page also featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system. A search on “Equifax Veraz” at Linkedin indicates the unit currently has approximately 111 employees in Argentina.

A partial list of active and inactive Equifax employees in Argentina. This page also let anyone add or remove users at will, or modify existing user accounts.

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

The “edit users” page obscured the Veraz employee’s password, but the same password was exposed by sloppy coding on the Web page.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.

But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.

750 pages worth of consumer complaints — more than 14,000 in all — complete with the Argentinian equivalent of the SSN (the DNI) in plain text. This page was auto-translated by Google Chrome into English.

Jorge Speranza, manager of information technology at Hold Security, was born in Argentina and lived there for 40 years before moving to the United States. Speranza said he was aghast at seeing the personal data of so many Argentinians protected by virtually non-existent security.

Speranza explained that — unlike the United States — Argentina is traditionally a cash-based society that only recently saw citizens gaining access to credit.

“People there have put a lot of effort into getting a loan, and for them to have a situation like this would be a disaster,” he said. “In a country that has gone through so much — where there once was no credit, no mortgages or whatever — and now having the ability to get loans and lines of credit, this is potentially very damaging.”

Shortly after receiving details about this epic security weakness from Hold Security, I reached out to Equifax and soon after heard from a Washington, D.C.-based law firm that represents the credit bureau.

I briefly described what I’d been shown by Hold Security, and attorneys for Equifax said they’d get back to me after they validated the claims. They later confirmed that the Veraz portal was disabled and that Equifax is investigating how this may have happened. Here’s hoping it will stay offline until it is fortified with even the most basic of security protections.

According to Equifax’s own literature, the company has operations and consumer “customers” in several other South American nations, including Brazil, Chile, Ecuador, Paraguay, Peru and Uruguay. It is unclear whether the complete lack of security at Equifax’s Veraz unit in Argentina was indicative of a larger problem for the company’s online employee portals across the region, but it’s difficult to imagine they could be any worse.

“To me, this is just negligence,” Holden said. “In this case, their approach to security was just abysmal, and it’s hard to believe the rest of their operations are much better.”

I don’t have much advice for Argentinians whose data may have been exposed by sloppy security at Equifax. But I have urged my fellow Americans to assume their SSN and other personal data was compromised in the breach and to act accordingly. On Monday, KrebsOnSecurity published a Q&A about the breach, which includes all the information you need to know about this incident, as well as detailed advice for how to protect your credit file from identity thieves.

[Author’s note: I am listed as an adviser to Hold Security on the company’s Web site. However this is not a role for which I have been compensated in any way now or in the past.]

Tags: , , , , ,

143 comments

  1. My guess is several people from Equifax are going to find themseleves in front of a judge… This sloppiness is pretty much criminal.

    • you know that doesn’t happen to suits very often, why not give them a bailout and a tax break for the next 6 years… while we are at it lets give all C-Levels a 6% raise and a 6% bonus…

    • Probably not. I wish you were right though.

    • They own so members of Congress it’s doubtful if they even go near a courtroom.
      The lobbyists run the country millions of dollars.
      Did anybody go near a courtroom because of the recession of 2008?

      • not any of the top level suits that is for sure…

      • Only bank to be charged: Abacus Federal. Can see the doc about it (“Abacus”) now on PBS Frontline. It is an incredible film underlining failure of DoJ to charge the Too Big To Fail banks, while charging only one small family-run bank serving the Chinese community in NYC. The bank management was exonerated.

    • Means nothing.

      Even jailing a few of them — which I doubt, nobody was jailed after the bigger 2008 crash — will not address systemic problems.

      Corporations are out of control and predatory, without any obligations and responsibilities. A recipe for disaster.

      As long as Americans don’t internalize that they’re grinding water — corporations should have never been given rights equal to individuals — THAT is what absolves their management from punishement.

    • Even if a few of them ever see the inside of a jail — this did not happen even after the 2008 and previous crashes — it will not solve the systemic factors that cause public problems.

      These are SYSTEMIC problems. Corporations are out of control and they control the govt. They should have never given the rights of individuals. THAT is what absolves mgmt. from responsibility and punishment. Can you see them doing this kind of business if they were personally liable for them?

      Given this system there is absolutely nobody and nothing in it that protects the public.

  2. This truly is negligence and Equifax should be held financially responsible. This breech has destroyed the security so many.
    Those who sold their stock in Eqifax before the breech was public knowledge should be charged with insider trading and face the maximum penalty allowed by law.
    It is time all of these negligent companys pay with liquidation and executives forfeit all investment pension and bonuses.

  3. It is indicative of how many large multinational companies are organized; each region operates on its own and with it’s own staff…often the result of acquisition. The smaller regions are likely to behave like small/mid businesses. So few, if any, security professionals. There are probably significant economic and cultural differences that account for the variation too, but IMHO it’s mostly the result of operating like a smaller business, without much guidance or oversight from the mother ship.

  4. According to my little research on your recommendation about CREDIT FREEZE or SECURITY FREEZE, laws in Peru (South America) don’t look like they support any similar mechanisms for our credit profiles. These laws are quoted from our financial regulator (called SBS http://www.sbs.gob.pe/repositorioaps/0/1/jer/pau_reporte_central_riesgos/central%20de%20riesgos.pdf), see page 10, as Law 26702, Law 27489 & Law 27863. I also made a call asking a CREDIT FREEZE, but it is not an available option.

  5. I’ll bet there are a bunch of firms with subsidiaries that carry the name of the mother company such as in this case, looking for gaping security holes. Equifax certainly isn’t the only one. I just hope that there is a very high cost to the firm, even liquidation since it’s often existential risks that get management attention. A little fine and some bad press for a couple weeks is not enough to change behaviors as we’ve seen time and time again.

  6. I am dumbfounded. Wait, not really. The cream doesn’t rise to the top in many global corporations. I hope Equifax goes down the drain, they deserve to.

    • @Martha Keeley

      Cream may not always rise to the top, but pond scum often does.

    • Even if they do go down, it won’t solve the fundamental problems.
      It will only make their competitors more brazen because of more concentration. And the few large shareholders and mgmt. will retire filthy rich, indicating to others that there is nothing much to fear personally from negligence and disregard.

  7. I’m really wondering now — what would be the most effective means of getting Equifax to remove all of my personal information from their database?

  8. Equifax: No zero day required! No spearphishing either.

  9. After reading Brian’s articles about the breach last week, I heard Leo Laporte talking about it on his Tech Guy Labs radio program this past weekend. He has a nationwide audience. Leo slammed Equifax bigtime.

    He agrees, freeze your credit at all three companies. He called for serious fines to be levied as well as criminal charges if possible. And Equifax to pay for any credit damages that result from this breach.

    He felt a freeze would hurt the bottom line of Equifax but I’m not sure about that. I would do it to hopefully prevent any ID theft from someone trying to get credit in my name. He also said not to sign up for monitoring, especially from Equifax, freezing is the way to go.

    Considering that the US population of 326 million has about 70 million children, many of which do not have any files with Equifax and others who never established credit, the 143 million breach is well over half the population with credit histories.

    Question is, will the disfunctional Washington politicians do something about this?

    I did look at FICO for getting another report besides the free ones we’re entitled to and it seems the prices have gone up since the last time I paid $45, now $60.

    Seems my scores dropped a bit for opening up a new CC account this year. They want you to establish credit but ding you when you do. Seems they say “averages” show 2% of the people with my score default on loans. Reminds me of the story about a man who drowned while crossing a river with an “average” depth of only 18 inches. Averages can be glass half empty or half full depending on what you “want them to be”.

    Equifax needs to be sued into oblivion!!!

    • A credit freeze does hurt the credit reporting agency. They make most of their money on providing access to credit reports to businesses and consumers. If you put a credit freeze on your account, they can’t provide that information but they still have to maintain the credit record. That means they have a ‘dead’ account which is costing them money but not providing any income.

      • Which suggests that they will do all sorts of trick to force the defreezing of those accounts and, at best, will disregard their security even more, if that is possible.

        What negligence? Were they ever REQUIRED to provide minimal security by law? Were they ever incurred cost that even approaches their profits from failing to invest in security?

        As many have mentioned here, the public is not their customer, but their product and they owe nothing to it.

        All corporations that have made the public a product and produce nothing except generate rent from stealing private data (Facebook, Google, Twitter, LinkedIn, now even Microsoft) have no public obligations. Why Americans expect them to do anything other than prey on them escapes me.

    • impose a regulation mandating that we receive 50% of all revenues the credit bureaus earn from sharing information about us.

  10. T. Robin Cole, III

    Do all states permit parent/guardian to freeze the credit reporting of minors?

  11. long overdue revenge for the Falklands war? More of those Brit hackers?

  12. Please tell me that the 143 million American breach didn’t happen in a similar manor on an unsecured website that was taken down before the breach was publicly announced.

  13. As a (retired) IT guy, I usually have sympathy for overworked IT staffers defending infrastructure. Its easier to find one badly configured server than to perfectly patch and defend 1000 servers.

    But this is just awful. I would expect one of the employees to point out their insecure default password to someone who would take action. I’m sad at the lack of individual initiative on anyone’s part (much less auditing of servers with customers PII-personally identifiable information).

    Restricting this administrative website to a company intranet and requiring VPN to access it would also have been helpful.

  14. Has Equifax really adopted Enron’s logo, or is someone just having us on? Ironic as h— if true!

  15. The only solution for this stupidity is a corporate death penalty. You do something this totally ignorant you are permanently put out of business.

  16. I am about to start a new job and the employer requires me to sign up with Equifax through talx.com for payroll. I am worried about giving my data to Equifax. Is there anything I can do?

    • Jokingly, or seriously: Hire a lawyer to draft up a contract for the company HR and Equifax to sign, that they “take protection of your information seriously” in a court of law, along with their level of database encryption, database separtion from the internet, etc, to your full satisfaction–your contract with them for using Talx (a new standard protect yourself contract since organizations and businesses often aren’t protecting personal info correctly).

      • And if you follow this advice, also dust off and update your resume as the employer will most likely move on to the next best qualified candidate.

    • Equifax already has your data.

      If it’s a good job, don’t lose it over nothing.

    • Yes, informally inform the employer of your concerns and negotiate that you be paid directly, rather than through a third-party.

      If you meet resistance, decline in writing and begin searching for a new job. In your letter, explain your concern and politely thank the employer for the offer. This is a negotiating tactic which may or may not produce the result you desire.

      Good luck.

  17. In Texas, each credit bureau can charge $10 each time you want to freeze/unfreeze your credit.

    Not sure which states in US allow a fee to be charged, but if 100 million people in the US have to each pay $10 to each of the 3 major credit bureaus to freeze\unfreeze their credit, the industry just got an instant 3 billion dollar boost each year, until the end of time, for simply flipping an enable/disable bit in a database record that contains your info.

  18. At one point the database backups of Veraz were that bag of untested tapes that admins tripped over when entering the datacenter. Until one day they lost data and needed the backups.

    I won’t name my sources…

  19. You had me at admin/admin.

    “All your server are belong us…”
    -Anon

  20. This is the saddest thing , happened to me I haven’t been able to borrow money any place , I’ve been turned down so many times for a mortgage . I’m so frustrated I wanted to just die. Because of the equifax . Now I need help my credit report is too low for a homeloan. I’m so stressed because of this credit exposed of breech

  21. So this will be the scenario…
    1. More apologies from Equifix and PR flaks at Edelman
    2. More phony offers from Equifax
    3. Executives will “retire” wish golden parachutes
    4. Congress will investigate!
    5. Nothing will be done…
    6. Repeat by some other major company with embarassing IT security

    No surprise here as IT security is a joke and same with IT management

  22. Brian, do you know whether data from all non-US countries was in separate databases? As social security details differ that might be technically easier for Equifax – Argentina is an example. If all were protected with admin/admin it would be laughable. I’m interested particularly in UK data. I wonder whether anyone in the UK is following up on this! This article is an excellent illustration of why the EU is so concerned about cross-border storage of personal data which, once transferred, is no longer subject to the legal protection of EU institutions.

  23. Wait, so Alex Holden says that two Wisconsin based Argentinian employees of Hold Security LLC broke the Computer Fraud and Abuse Act? Is this standard operating procedure for that company?

    • well yes, they are security researchers. As a general rule, security researchers consider themselves to be special because they mean well. 🙂

      It’s plausible, if this is a completely custom application, that it has never accessed inappropriately outside of these researchers. As much as security pros like to complain about “security through obscurity”, obscurity can make the difference between vulnerable data and compromised data. Equifax should be required to provide a separate update on its investigation into this issue.

  24. Bob, have you read the terms of service for this site? You in fact may be in violation of the cfaa.

  25. There’s really only a few people who are responsible: management who signed off on this. The buck has to stop somewhere.
    IT support and head of IT who implemented this approach. Everyone else is not responsible because it’s not their job. If you think about it, how many people at a company are SUPPOSED TO KNOW the admin username/password? Just those tasked to do the work.

  26. Just received this info Equifax says it will now waive all of its fees for customers who want to freeze their credit files with the company, reports The New York Times, but it will only do so until November 21.

    • …which basically amounts to a 25% discount on the cost of a credit freeze, since we will still have to pay for freezes at the other bureaus. If Equifax actually cared about consumer protections, they would work with the other bureaus to let victims freeze all of their accounts without cost.

  27. Plain text??? There was no era in the past putting passwords in the html was a thing, let alone putting them in plain text… woow.

  28. Banks get audited by the FED for computer security etc.
    Who audits the credit reporting companies?

    They have all this money and don’t do anything
    to harden their systems or have an outside vendor come in to pen test?

    What were the results of their last security audit?

    I would be locked up in jail if this happened on
    my watch.

    • If corporations like Equifax are this security incompetent what hope do you have that a govt agency will be able to audit them and identify lapses? Illusions.

      Tech corporations have long overwhelmed govt ability to regulate and control them.

      If you thought you are ruled by the govt, that is true only if you realize that the govt is an agency of the corporations and does only what they want it to do.

  29. Wow. I just tried to freeze my credit on Equifax and received the message that my “request could not be processed at this time”. I guess a lot of irate people are pounding their servers. Or just more bad IT practices from these stooges . . .

  30. I have a suggestion:

    There’s a common law concept called “strict liability.” It applies in a case like this: A farmer owns a bull and keeps in in a fenced field. The bull escapes and does some damage in the village. Then, the farmer is responsible for the damage WHETHER OR NOT he was negligent in letting the bull escape.

    This concept applies to people who hold all sorts of inherently hazardous items. If you have a pond on your property held in place by a little dam, and the dam breaks, and your neighbor’s car gets ruined, you’re strictly liable to buy her a new car, even if you did a good job constructing and maintaining your little dam.

    This principle needs to apply to people and companies who hold caches of personal data. Those caches are inherently dangerous to the public, because of identity theft.

    And, we know that keeping dangerous caches of data secret forever really is not possible. Not even state actors with unlimited funding (such as the NSA) can succeed at that. Secrets, like bulls and water in ponds, are almost certain to escape.

    You and I should not have to prove that a company like Equifax was negligent to get compensation if we’re damaged by such an escape. They need to be strictly liable for that.

    How do farmers deal with their strict liability? They don’t keep bulls they don’t need. Companies should be forced to consider the same when they keep records on us.