The leading credit bureau, Equifax, again had to face global embarrassment after a portion of its website went offline on 12 October 2017 after certain codes embedded on the website redirected the users to third-party URL asking the users download malware. The incident came to light through Ars Technica technology news site when Randy Abrams, an independent security analyst, went on the Equifax site to download his credit report. On clicking a visible link, it redirected him to a third-party website with “one of the ubiquitous fake Flash Player Update screens”.
This incident comes within a month of Equifax data breach where the birth dates and Social Security number of 145.5 million Americans were exposed. In March, the federal officials had allegedly warned Equifax of a potential breach, but they failed to take the information seriously and apply necessary security patches.
Commenting on the latest fiasco, the company said that the problem arose from third-party code applied by the company to collect website performance data, and blamed the third-party code for serving malware content. Post the reporting of the incident, Equifax confirmed that the code had been deleted and the affected page/s were taken offline for further analysis. The company spokesperson confirmed that the malicious code didn’t compromise the system and the consumer online portal remained safe.
After last month’s data breach, Equifax had set up the equifaxsecurity2017.com website to help its users determine whether their data had been compromised or not. However, it was concurrently reported that the Twitter administrators of the company advised the users to access a different URL with a similar name. The different site in question was created by an engineer to show how easy it is to emulate the Equifax website with phishing and misdirect the users, throwing light on grave security issues affecting the company.
To prevent data breach and data losses, a Republican congressman, Patrick McHenry, has introduced a bill in the parliament that will prevent credit rating and reporting companies to access Social Security numbers of Americans. Accordingly, TransUnion, Experian, and Equifax have to phase out their total dependence on social security numbers by 2020.
