The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations.
Cyber-crime blogger Brian Krebs said that a line employee of the tool that is used in the country can be accessed by typing “admin” as user and password.
He added that this gave him access to the records that included thousands of clients of the national identity of the numbers.
Last week, the firm revealed separately, an attack that affects millions of people in the united states.
After being notified of the last violation, Equifax temporarily closed the affected web site.
“We have learned of a potential vulnerability in an internal portal in Argentina that was not in any way connected to the cyber-security event that occurred in the united States last week,” an Equifax spokeswoman told the BBC.
“We acted immediately to remedy the situation, which affected a limited amount of information strictly related to Equifax employees.
“We don’t have any evidence at this time that all the consumers or customers who have been negatively affected, and we will continue to test and improve all the security measures in the region”.
The discovery came less than a week after Equifax revealed that another failure meant around 143 million consumers in the united states and an undisclosed number of British and Canadian residents might have had personal data exposed.
The company took six weeks to make the discovery public after first learning of a problem.
On Tuesday, 36 united states senators called for a federal investigation into how three executives of the company went on to sell nearly us $2 million (Â£1.5 m) value of the shares of the company in the meantime.
Equifax also faces dozens of legal claims on the matter.
The lord Krebs wrote that the Argentina matter involved Equifax local business Truthful.
Specifically, a web application referred to as Aid, the Spanish for “help” – seems to have been weakly protected.
“[She] was open, protected by perhaps the most easy-to-guess password is: admin/admin,” wrote Mr. Krebs.
The discovery was made by the cyber-security firm Hold Security, which Mr. Krebs advised.
Their researchers explored the portal and inside found a list of more than 100 Argentine employees, the blogger revealed.
The use of this list were able to discover the workers of the company the user names and passwords, which turned out to be the match of words in each instance.
Each sample amounted to only the worker’s last name or a combination of your surname and first initial, which made them quite easy to guess anyway, Mr. Krebs added.’Extraordinary’
“But wait, it gets worse,” he wrote in his blog.
“From the main page of Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and claims presented by the Argentineans who had at one point over the last decade contacted Equifax via fax, phone or e-mail to dispute issues with your credit reports.
“The site also lists each person’s DNI [national identity document]- the Argentine equivalent of a social security number – again, in plain text.”
In total, there were more than 14,000 records, Mr Krebs said, concluding that the company had been “careless”.
One uk-based cyber-security experts agreed.
“This type of security vulnerability is extraordinary, as even the most basic of controls should reveal this,” Professor Alan Woodward, of the University of Surrey, told the BBC.
“It’s outrageous that any organization that holds sensitive personal data, you can build a portal with this type of basic security vulnerability.
“It’s just not happening, and he replies that now they have solved the problem is not the point: it puts a big question mark on whether Equifax has been in the application of the resources corresponding to the line of safety in another part.”