
Equifax securities fraud class action [pdf] - bookofjoe
http://securities.stanford.edu/filings-documents/1063/EI00_15/2019128_r01x_17CV03463.pdf
======
RankingMember
> On August 2, 2017, Equifax notified the FBI of the Data Breach. It also
> retained legal counsel to guide its investigation into the breach. The same
> day, Equifax’s legal counsel retained Mandiant to assist in the
> investigation into the incident. Experts would later note that these steps
> suggested that Equifax knew that the Data Breach was serious. In the days
> immediately following the discovery of the Data Breach, Gamble and Ploder
> sold more than $1 million in Equifax stock. On August 1, Gamble, Equifax’s
> Chief Financial Officer, sold stock for $946,374, representing more than
> thirteen percent of his holdings. On August 2, Ploder sold stock for
> $250,458, representing four percent of his holdings. These sales were not
> made pursuant to a Rule 10b5–1 trading plan. Smith would later state in
> congressional testimony that Ploder and Gamble would have been in many of
> the meetings he had concerning the Data Breach.

Am I crazy or is this not blatant insider trading?

~~~
kjaftaedi
It's sad how obvious this is. Possibly even more obvious than the insider
trading at intel prior to the spectre/meltdown public release.

This will be forever the legacy of Eric Holder, the man who changed the
justice department policy to go after smaller 'fines' as settlements instead
of prosecuting crimes.. only because of the simple fact that fines are easy to
win, and criminal cases can be lost.

Justice is now escapable because it's been deemed "too difficult to pursue"

~~~
50656E6973
>changed the justice department policy to go after smaller 'fines' as
settlements instead of prosecuting crimes.. only because of the simple fact
that fines are easy to win, and criminal cases can be lost.

This policy change could also perhaps be attributed to lobbyists seeking to
maximize profits and minimize risks for corporate clients who are knowingly
breaking the law.

~~~
ericmay
Sure, which is the fault of the people and the government, as far as I’m
concerned. If an elected official is corrupted or doing something we disagree
with, it’s our job to fix it.

------
sn41
This is quite strong policy. Usually in most sinister incompetent companies,
the user name is "admin" and the password is "password".

On a serious note: there should be a mandated, periodic, third-party security
audit by neutral parties for all entities which deal with user data beyond a
certain specified level of sensitivity. It should not be left to their
discretion when to run such an audit from their end. Whether an entity similar
to SEC for the stock exchange is desirable can be debated, but the current
laissez faire approach to data will lead to even more such disasters.

~~~
VMG
The laws already exist, the penalty is just too small. With higher penalties
there would be an insurance market where the insurers set standards and
performs audits.

Standards set by buerocrats are usually written by special interest groups and
don't achieve the desired outcome at a good cost.

~~~
ed_blackburn
Sadly having been in such an environment, I can confirm that indemnity
insurance exists for such situations. What happens is the underwriter to
reduce risk mandates a very rigid process.

In one case, I saw a "private cloud" provider underwrite their client's system
by owning the "software-development-release-cycle". They were mandating
quarterly releases and three-month manual testing and regression periods.

They put themselves in a situation whereby they could charge the client for
the tin, administering the process, the time and materials for the deployment
and testing and the indemnity premium.

They reduce their risk/exposure because of infrequent releases and such long
regression cycles meant assurance levels were rarely met within the dedicated
window. There was a very long tail of unreleased features. In summary, they
mitigated any risk by chocking the product, reducing the number of releases
and the size of them to deliver a fraction of the value available.

We learned to work around by taking advantage of feature switching, but
quarterly releases are a death knell for a product.

------
dragonwriter
Note that this is an order on a motion to dismiss; none of the fact claims
reported here are findings by the court, they are allegations made against
Equifax. In a motion to dismiss, the facts in dispute are viewed in the light
most favorable to the non-moving party, and here Equifax and other defendants
are moving to dismiss. That's why the supporting reference for every fact
claim is to the complaint against Equifax in the case, and “According to the
plaintiff” is liberally scattered throughout the document.

~~~
24gttghh
So, the footnotes for the "admin" "admin" (46. Id. ¶ 225 (emphasis omitted)
points at footnote 1. Am. Compl. ¶ 3.) claim refer to the amended complaint,
paragraph 3? Any idea where this amended complaint is, which most of the early
footnotes are referring to?

~~~
LurkersWillLurk
Here's the Amended Complaint:

[https://www.courtlistener.com/recap/gov.uscourts.gand.241666...](https://www.courtlistener.com/recap/gov.uscourts.gand.241666/gov.uscourts.gand.241666.49.0.pdf)

~~~
24gttghh
So bullet point # 225 from that complaint basically says the same as the PDF
we're discussing:

>Likewise, Equifax “protected” one of its portals used to manage credit
disputes with the username ‘admin’ and password ‘admin.’ This portal allowed
access to a vast cache of personal information, including employee names,
emails, usernames, passwords, consumer complaint records, and the Argentinian
equivalent of Social Security numbers. The portal also granted administrative
access allowing intruders to add, delete, or modify records. A November 15,
2017 article in Forbes quoted cybersecurity expert Wes Moehlenbruck, who
stated that this was one of many “very grossly negligent security practices”
at Equifax. The article continued, “‘Admin/admin’ as a database password is a
surefire way to get hacked almost instantly,’ Moehlenbruck says. ‘A production
database with this account smells of poor security policy and a lack of due
diligence.’

Seems to agree with that GP was saying.

~~~
Gene_Parmesan
But the complaint is similar. It's simply the allegations of one side. Part of
the job of a trial is deciding the truth or falsity of these factual claims.

------
bookofjoe
>For example, Equifax relied upon four digit pins derived from Social Security
numbers and birthdays to guard personal information, despite the fact that
these weak passwords had already been compromised in previous breaches.
Furthermore, Equifax employed the username “admin” and the password “admin” to
protect a portal used to manage credit disputes, a password that “is a
surefire way to get hacked.” This portal contained a vast trove of personal
information.

------
christophilus
I’m genuinely curious how this happens. I remember my first job in the
industry, just out of university. I knew nothing about security, but still
wouldn’t have done that. My first gig was in a credit union software company,
and the security standards were nonexistent, yet we still had more reasonable
passwords than this (which sounds like an installation default).

~~~
gnrlst
I'll tell you how this happens:

Colleague #1: "What password shall we set?"

Colleague #2: "Just leave it default for now as we're still testing, we will
change it later".

~~~
bouncycastle
Colleague #3: "Sounds good to me. We're behind the firewall and the NIC used
for Dell iDRAC or HP iLO is on an isolated network unique to the physical
datacenter. Remote access for our techs is managed through a secured bridge
that requires all sorts of security hoops on our company intranet, and remote
access for general internet traffic is not available due to the firewall
restrictions. There's no way hackers will get through that in the first
place."

~~~
Legogris
Colleague #4-20: Build various integrations to database, all with their own
ways of storing credentials.

Colleague #2: "It's really past due time to change the database password, but
first we have to make sure all critical systems can still access the
database."

~~~
bloopernova
Which is why forward planning and prompt action is worth so much.

I know I'm stating the obvious, but I've seen some worrying attitudes of "just
in time" that seem to go hand in hand with a misunderstanding of Scrum Sprints
or Kanban. Where people concentrate on the tree and ignore the vast
interconnected forest around them.

~~~
dspillett
Hence the old adage: days of work can save you hours of planning.

------
joshstrange
Scrolling through the comments I'm surprised (and not all at the same time) no
one has made a comment like this:

So what?

If an attacker is able to reach your DB the ballgame at 90% of the way over
already. Yes I understand that a strong U/P on the DB server would be 1 final
gate but unless I'm living in some alternative reality I can tell you plenty
of companies use weak/shared/guessable passwords for stuff that shouldn't be
reachable from the outside like this. And honestly? Securing the DB with 1
extra (potentially useless) line of defense is an extremely low priority for
most businesses.

~~~
jandrese
Defense in depth is important in organizations for exactly this reason. It
only takes one admin falling for a well crafted phishing email to get an
insider in your network, which is why you need to design it in a way where
they find a whole new set of roadblocks once they're inside.

Sure they might eventually break those too, but it's time and effort and
opportunity to be caught.

------
notacoward
Equifax _failed to protect_ its main database with user name "admin" and
password "admin"

FTFY

------
Qasaur
> "Furthermore, Equifax employed the username “admin” and thepassword “admin”
> to protect a portal used to manage credit disputes, a passwordthat “is a
> surefire way to get hacked.”"

The document does not state any further detail than this, so it is a bit
unclear as to what exactly was located on this portal - does not seem like it
was their main database anyhow.

Still incredibly incompetent though.

------
eyegor
An unnamed large bank in the US uses "admin"/"changeme" for a customer
database. I'd love to say more about it but unfortunately that would probably
identify me/them.

~~~
donut
Will you change it?

~~~
eyegor
I petitioned those with the power to do so, but it fell on deaf ears.
Unfortunately I did not have the authority to change it myself.

------
profitor
Where does it say they used the defaults for their "main database"? As far as
I'm aware it was "only" the password for a management portal for customer
complaints, not the keys to the kingdom.

~~~
democracy
Yeah, that's true " a portal used to manage credit disputes"

------
akgerber
I tried setting up credit freezes at all 3 credit agencies as a result of the
law making it free in the wake of the Equifax breach.

It took maybe 5 minutes at Experian and Transunion. Equifax's site 500'd when
I attempted to set it up, and they had no way to take a report. When I called
them on the phone, they suggested I send them a fax, and their customer
service rep suggested I was a useless person who would never go anywhere in
life when I said that was unacceptable and they should be out of business.

They should go out of business.

------
bookofjoe
>Equifax also failed to encrypt sensitive data in its custody. According to
the Amended Complaint, Equifax admitted that sensitive personal information
relating to hundreds of millions of Americans was not encrypted, but instead
was stored in plaintext, making it easy for unauthorized users to read and
misuse. Not only was this information unencrypted, but it also was accessible
through a public-facing, widely used website.

------
bloopernova
I'm using that headline as our thought of the day in group chat at work.
Because that is just egregious and negligent.

Nobody thought to raise that? to anyone?

Although I can understand. I have several people who now call themselves
DevOps on a project who have practically zero experience with systems
operations _or_ development, and have done some utterly incomprehensibly
stupid things. It doesn't matter how fancy your cloud tech is, if someone
creates VPCs with default ALLOW ALL rules, stuff is going to get compromised.
Worse yet, some are _fighting_ against changing the ingress rules because that
would show that they were wrong! I'd at the very least rotate them out and
replace them if I could. (rant over)

~~~
matwood
This can happen for many reasons. People just want to get whatever it is
working. There is probably a lot of time delivery pressure and something like
IAM is complicated.

IMO, the first step to fixing the problem is give DevOps the proper amount of
time to design the required permissions. It sounds easy from the outside, but
again IAM can be very complex.

Additionally, DevOps must think security first. That means a newly deployed
service has zero access and goes from there. Developers are going to be
annoyed, but DevOps needs work with them and vice versa.

~~~
bloopernova
Yes, least possible permissions is a tried and tested axiom that should be
foremost in people's minds. The same with layered security in depth, disabling
unneeded accounts, etc etc.

I'm seeing a lot more inexperienced people getting access to stage/production
systems (i.e. internet-facing to a greater or lesser extent) due to the DevOps
paradigm. Of course the role sounds cool so people advertise for it, and apply
for it, but there's a serious lack of understanding of just what it is!
Developers need a good understanding of Operations, and Operations Admins need
a good understanding of Development.

Things like not understanding the reason why you'd want to test the network
access and DNS lookup from the stage pods instead of their local machine. Or
not knowing how to perform basic source control tasks.

Of course, I can be dismissed as a grumpy old man. I am, I'm in my 40s and
23ish years of Linux operations has, I hope, taught me a couple of lessons.
But I'm not yelling at the kids to get off my lawn, I want to teach the kids
about correct garden maintenance, weeding, and when to plant bulbs and seeds
(to stretch a metaphor way too far!). I find people are resistant to learning
basics "because the cloud", or putting in due diligence because they're paid
too little (which I fully understand!)

Sorry, grumpy old sysadmin who is now a team lead with lots of responsibility
and too little time to brain dump his 20+ years into some younger heads. I'll
try to lighten up :)

------
bitexploder
This might seem shocking, but I did internals for many years and the number of
networks I completely compromised via SQL Server is pretty funny. Almost all
of them. sa/(blank) -- run xp_cmdshell, abuse server privileges to pivot to
other servers or right to domain admin, then compromise their non windows
environment with all the access. Networks still get owned this way on
internals / red teams all the time. Granted we expect a company with all our
personal data to do better, but they are still just a big company making the
same terrible choices as everyone else :)

------
bookofjoe
>Instead, due in part to Equifax’s failure to implement effective logging
techniques, hackers were able to continuously access this sensitive personal
data for over 75 days.

------
bookofjoe
>The company relied upon a single individual to manually implement its
patching process across its entire network.

------
ahbyb
Where was that database located? If I had a database in an offline computer
with that username and password, it wouldn't be a problem. I'm not saying this
is the case, but perhaps it had a whitelist of hosts that could connect to it,
which were "properly" protected?

------
zer0faith
Why is Equifax still a thing?

~~~
skratchpixels
This was my thought. Why do we need three credit reporting agencies?

TransUnion and Experian should be enough. I go through my reports and all
three are pretty much the same.

~~~
nerdponx
As tempting as it is to thirst for blood in this case, what do you really want
to go after is upper management.

Credit rating isn't exactly a free market, but I'm very skeptical that we
should reduce any significant oligopoly from three corporations to two.

~~~
skratchpixels
My comment is only part blood thirst and part just wanting to simplify my
credit report tracking from a consumer perspective. I would also like as few
companies as possible having my personal information as possible especially
after problems like this.

The other part is if I'm applying for any kind of credit, I assume the most
conservative lender would look at all three results and just go with the
lowest credit score.

But I agree, even in a semi free market, competition is good.

------
CalChris
When I worked for BofA decades ago, there was a PDP-11 at the center of a
point to point network of other machines for handling SWIFT, Telex, FedWire
.... This network turned over the assets of the bank every 4 days and BofA at
the time was the largest private bank in the world.

The password for that console was _sesame_. Transactions were testworded but
otherwise sent in plain text. When I worked in Europe a few years later I
constructed by own telex bankwire transaction from a hotel in Italy. It was to
my account for my money but it worked, no questions asked.

------
throwaway5752
No offense, but while this is clearly embarrassing and incompetent, it's not a
huge gotcha.

If password auth is a speed bump. And once the physical/network barriers are
breached, it would just be a matter of time.

------
dmd
How many iDRACs around the world are accessible with "calvin"?

------
cyberferret
Tsk! I remember reading a white hat pen-test report once where a major US bank
had their master MS-SQL server left at the default root user 'sa' and no
password. From memory the pen-test team got full access to the main
transaction tables within a minute.

If I remember correctly, they immediately stopped the testing and reported it
to management, but I believe they never heard back as to whether the problem
was fixed. If anyone knows more details about this, I am sure we would all
appreciate an update.

------
ineedasername
In their defense, it's so awful that some hackers at least might not even try
it.

Also: "1..2..3..4..5 That's the kind of password an idiot puts on their
luggage!" \--Spaceballs

------
bookofjoe
>And, when Equifax did encrypt data, it left the keys to unlocking the
encryption on the same public-facing servers, making it easy to remove the
encryption from the data.

------
goatinaboat
Something similar occurred at a previous employer. They were counting on the
admin port being blocked on the firewall. This was 15 years ago but even
nowadays network guys tend to manage firewalls with spreadsheets and manual
updates rather than something like Chef so it’s unsurprising that it got
missed or overwritten in an upgrade or something.

------
bufferoverflow
How is that possible with all the regulation?

~~~
superzamp
I work with financial software and you'd be surprised how much of all this
"regulation" is based on self assessments. Auditors are looking for liability
shifts, not real security.

~~~
davismwfl
I was dumbfounded by this when I was consulting prior and worked with some
banks on mortgage compliance. Almost everything about banking is self
assessments and reporting. It is similar to the idea of Boeing doing self
testing for the FAA and reporting all is fine. Regulation doesn't bring safety
or security, it brings reporting that rarely gets analyzed and even if it is
there is no way it will show anything but the most blatant of fraud etc. It is
akin to closing the barn doors after the horses have all left, at least the
banks can say hey 10 horses left, but nothing was done to prevent it and they
won't get in trouble cause they reported on it.

At least that was kinda my takeaway from those jobs. I could just have a
skewed version based on the stuff I worked on.

------
hsnewman
"Was that wrong? Should I have not done that? I tell you, I gotta plead
ignorance on this thing because if anyone had said anything to me at all when
I first started here that that sort of thing was frowned upon, you know,
‘cause I've worked in a lot of offices and I tell you people do that all the
time."

------
linsomniac
"That's the kind of password and idiot would have on their luggage!" (with
apologies to Spaceballs)

------
LanceH
Is there some nuance to this admin/admin used to access a portal?

I can completely imagine a headline like this when there is an old basic auth
overlaying an application with a real password. It just seems unlikely that
all the logging in the customer service portal will say, "updated by admin".

~~~
jayd16
Could be something like the trivial portal login was protected by VPN.

------
aloknnikhil
These security nightmares begs the question: Why don't databases use
asymmetric keys and authenticate & authorize access? Why are we still reliant
on password based authentication? If it's simply the question of key
management and distribution, that's a solved problem.

~~~
ownagefool
Not all databases require passwords to authenticate. I'd imagine most popular
ones don't nowadays.

[https://www.postgresql.org/docs/12/client-
authentication.htm...](https://www.postgresql.org/docs/12/client-
authentication.html)

I imagine developing something like equifax today, you'd want to hook up it up
to your SSO, and used row based security so a user can only read their row,
and then you focus your efforts making sure user accounts, especially
privileged ones such as staff, aren't being abused. (You'd still probably
establish system to system level trust, such as keys between your API and DB).

But it's so much easier and cheaper just to connect using a username and
password, and then do whatever the framework you chose does by default.

------
ivanche
At least they had a password /s

~~~
nathan_long
Are you being serious? If a bank "locked" its vault by tying the door closed
with yarn, would you say "at least they locked it"?

~~~
matwood
I believe it's a joke referencing the default password for mssql for many
years of sa/null. Eventually the install started forcing the user to change it
to something, but for a time there were many mssql databases out there with a
default password of null.

~~~
goatinaboat
Oracles default password is change_on_install and you would be surprised at
how many DBAs type it every day without reading it...

------
peterwwillis
If all software automatically changed its own admin password after 121 days,
and refused to set old passwords (store the last 5 salted hash), that might be
a good enough stick to force people to rotate passwords themselves, and
default passwords would go away.

~~~
Akirus
And users rotate their same "password1", "password2", "password3" passwords
every expiration period...

~~~
peterwwillis
Yeah but you can't do anything about that unless you also enforce complexity.
If the goal is to prevent defaults (ex. to prevent drive-bys), the above does
that; "good" passwords is a separate requirement.

------
bipolar_lisper
Why are these companies allowed to hold my identity information? I have no
form of credit and yet these companies are still allowed to keep track of me
and store my information in an insecure fashion. I hate how idiots control the
show in this country.

------
twoquestions
Doesn't surprise me in the least. What incentive do they have to not be
negligent?

------
nomercy400
I wonder if the Equifax case can be used a precedent to 'dismiss' other cases
where a breach was made using "admin"/"admin".

Dismiss as in the same penalty Equifax had to pay per breached user.

------
wmeredith
How is this not dereliction of duty from a legal standpoint?

~~~
astura
Dereliction of duty is an offence under the UCMJ. Civilians working civilian
jobs for civilian companies are not subject to the UCMJ.

------
swalsh
If there was PHI in that database, equifax would be out of business already.
Why does PII not have the same level of scrutiny?

------
etxm
I’m not for capital punishment, but I’d like to see half of this company
ground-up and fed to the other half.

------
fastball
My main database doesn't have a password at all because it can only be
accessed by localhost.

------
octocop
I really appreciate reading this stuff directly from the source, thanks for
posting this!

------
aasasd
> _username ‘admin’ and password ‘admin’_

Ah damn, I gotta change the router password now?

------
octocop
I really appreciate reading this directly from the source, thank you

------
godelmachine
I was in stitches as soon as I read the headline :D

------
matwood
Just slightly better than sa/null.

------
totaldude87
this makes the password - "password" look like a complex password..

------
willart4food
WTAF? Funny and Sad.

------
flowersjeff
Tight!

------
dr-detroit
You didn't think those executives at Equifax got such impressive credit
ratings by NOT cutting corners, did you?

------
nkkollaw
Oh great. Now I have to change my password.

