We already know that more than 143 million Americans’ personal identify information was compromised as part of Equinox’s two-month-long data breach. If you thought that was bad enough, it gets worse: The credit reporting agency’s lax data security may have affected tens of millions more consumers across the world.
While Equifax previously noted that an undisclosed number of customers in the U.K. and Canada were affected by the breach, Krebs on Security reports the fiasco could go further.
However, it’s not the same two-month-long breach at play, but rather Equinox’s allegedly subpar internal security issues.
Argentina Admin Access
Krebs on Security reported Tuesday that Argentina should be added to the list of possible breach sites after security researchers found security gaps in the company’s South America operations.
Researchers at Hold Security claim that an examination of Equifax’s South American operations — known as Veraz — found an online portal that allowed Equifax employees in Argentina to manage credit report disputes was essentially left wide open to ne’er-do-wells.
According to the researchers, the portal contained one of the most easily guessed username/password combinations: admin/admin.
The site, which has since been taken down, allowed those with access to view the names of more than 100 Equifax employees, as well as their employee ID and email addresses, Krebs on Security reports.
Using this information, the researchers were able to determine the employees’ usernames and passwords, which just so happened to be a variation of their last name, or their last name and initial.
Worse yet, those with access to the site — which could be anyone if they guess the correct password combination — could view thousands of complaints or disputes submitted by customers.
Krebs notes that this information also included customers’ identity number — Argentina’s version of Social Security numbers. However, it should be noted that this number is already publicly available.
Krebs shared the discovery with Equifax, and the company’s law firm contacted the security expert.
“They later confirmed that the Veraz portal was disabled and that Equifax is investigating how this may have happened,” Krebs writes.
A rep for Equifax tells The BBC that the company acted immediately to address the issue.
“We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region,” the rep said.
It’s unclear if other countries are affected by this same lax security issue; Krebs notes that Equifax has operations in other South American countries, including Brazil, Chile, Ecuador, Paraguay, Peru, and Uruguay.
“To me, this is just negligence,” Alex Holden, founder of Hold Security, tells Krebs. “In this case, their approach to security was just abysmal, and it’s hard to believe the rest of their operations are much better.”
As for the original data breach Equifax disclosed last week, new estimates claim that at least 44 million consumers in the U.K. were affected.
But those customers might not even know Equifax has their information. That’s because they’re used to dealing with actual U.K. companies that do business with Equifax, including BT (a major British telecommunications firm), Capital One, and British Gas.
A rep for BT tells The Telegraph that it is monitoring the situation closely.
“Like many companies in the UK, BT uses Equifax services. We are working on establishing whether this breach has any impact on those services,” the rep said.
The Telegraph reports that The Information Commissioner’s Office in the U.K. has opened its own investigation into the Equifax breach.
ICO deputy commission James Dipple-Johnstone tells the Telegraph that the office is in contact with Equifax to determine the actual extent of the breach in that country.
“We will be advising Equifax to alert affected UK customers at the earliest opportunity,” he said. “In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”
As for those affected in Canada, an estimate is unknown. However, CNN reports that Equifax’s largest customer in the country is the Canadian Imperial Bank of Commerce (CIBC). The company says it is investigating the situation.