Equifax has already put 143 million U.S. consumers’ sensitive private data at risk, and now it has a whole new problem on its hands: an online employee portal in Argentina, which could be easily accessed using ‘admin’ as both the username and password, according to the BBC.
It’s a less-than-reassuring development for the credit report provider, and it was revealed this week by cybersecurity expert Brian Krebs.
The vulnerability Krebs identified was in a web portal that let the company’s employees in Argentina access credit report disputes for Argentinian consumers, he said.
“It was wide open, protected by perhaps the most easy-to-guess password combination ever: ‘admin/admin,’” Krebs wrote in a blog post detailing exactly how the vulnerability was discovered by Hold Security LLC, a U.S. cybersecurity firm that Krebs advises.
Forbes reports that about 14,000 records were accessible on the site over 715 different pages.
Equifax has already shut down the website in question, according to the BBC.
“We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cybersecurity event that occurred in the United States last week,” an Equifax spokeswoman told the BBC. “We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees.”
Krebs said that if anyone had gotten into the easy-to-access portal, he or she would have been able to access thousands of customers’ private data—including Argentinians’ national identification numbers, though unlike U.S. social security numbers, those numbers are not closely guarded, BBC reports.
Still, cybersecurity expert Alan Woodward of the University of Surrey told the BBC that the kind of vulnerability seen in Argentina was “extraordinary.”
“It’s outrageous that any organization that holds such sensitive personal data can build a portal with this kind of basic security vulnerability,” Woodward said. “It simply shouldn’t happen and responding that they have now fixed the issue is not the point: it puts a huge question mark over whether Equifax have been applying the appropriate resources to online security elsewhere.”
Equifax told the BBC that there was no indication any sort of breach of the Argentinian data had happened.
“We have no evidence at this time that any consumers or customers have been negatively affected,” the spokeswoman said. “We will continue to test and improve all security measures in the region.”
Pressure is mounting for a federal investigation into the breach in the U.S.
Just yesterday, 36 U.S. senators pushed for an inquiry into the fact that three Equifax executives sold almost $2 million in shares of the credit report company before the breach became public, according to Reuters.