Equifax is forced to take down a web page serving dodgy downloads and malware
Credit monitoring firm Equifax’s woes are continuing after it was forced to remove one of its web pages due to concerns it was running dodgy code.
Equifax took the affected web page offline “out of an abundance of caution” following that one of its third-party partners had been serving malware. The company was keen to stress it has not suffered another cyberattack, following a major breach in July, and its systems had not been compromised.
This latest issue featured a page that asked visitors to download infected Adobe Flash updates, according to Ars Technica, and was spotted by an independent security analyst.
It comes just days after the company had to admit a staggering 15.2 million records in the UK may have been affected in July’s data breach.
Equifax is currently the subject of multiple investigations and lawsuits from customers following the disclosure of the major hack and, last month, Equifax said more than 143 million people (including 400,000 UK citizens) could be at risk following “unauthorised access” to its systems. This UK figure has now risen to 700,000 and those affected may have had email addresses, passwords, driving license numbers, phone numbers and even partial credit card details stolen.
The Telegraph is reporting that a further 14.5 million records could have contained names and dates of births.
This is the latest in a long line of problems for the company which saw Equifax’s CEO Richard Smith leaving his role as Chairman of the Board and Chief Executive Officer on 26 September. Board member Mark Feidler stepped up to serve as Non-Executive Chairman and Paulino do Rego Barros, Jr was appointed as interim Chief Executive Officer following Smith’s departure.
Only a week earlier, the global company came under fire for inadvertently sending concerned customers to a fake phishing site. A number of tweets from Equifax’s official handle prompted people to visit securityequifax2017.com – a website deliberately set up by a developer to highlight Equifax’s failings in its handling of the breach.
Following the announcement that its systems had been hacked, Equifax set up a website called equifaxsecurity2017.com, as reported by Gizmodo, designed as a hub for anyone looking for help and advice. Sweeting’s website contained Equifax branding but looked different than the official site, deliberately, because his sole aim was to criticise Equifax rather than fool customers.
The twist in the tale came when Equifax’s official Twitter handle began directing people to the fake site by mistake. The tweets were sent sporadically over a two-week period, interspersed with tweets directing other customers to the correct site. When Sweeting tweeted the company’s error, the linked tweet was deleted while others remained. Sweeting’s tweet and screenshots of the mistakes are below.
In a statement revealing the breach earlier this year, Equifax said: “Criminals exploited a US website application vulnerability to gain access to certain files. The company has found no evidence of unauthorised activity on Equifax’s core consumer or commercial credit reporting databases.”
Equifax also included a link at the bottom of that page labelled ‘Potential Impact’. Clicking that will let US users check to see if they’ve been affected by the attack.
However, shortly after this website went live, reports suggested that typing the word ‘test’ into the form would generate a false breach report, while PINs to access the site were simply timestamps making them easy to guess by hackers. This has led to various complaints and affected people are being encouraged to sue Equifax using a litigation chatbot called DoNotPay (the bot is the work of Joshua Browder, who we interviewed last July.)
Equifax is a huge credit reporting firm that holds details on any consumer who applied for a loan, mortgage, credit card and more through its partner companies. It also offers identity theft protection for businesses and their customers and employees if the business itself has suffered a data breach.
Based on the company’s investigation, the unauthorised access is said to have occurred from mid-May through July 2017 and discovered on 29 July – yet it has only just been disclosed. Following the discovery of the breach, three Equifax managers sold their shares, denying that they knew about the breach at that time. The latest news about a potentially earlier breach could have dramatic ramifications on these claims. On Friday 15 September, two of the company’s top security executives announced their retirement.
Commenting on why it took so long to alert customers, Equifax said: “As soon as Equifax discovered the unauthorised access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.”
As part of the Equifax breach in the US, hackers accessed social security numbers, birth dates, addresses and, in some cases, driver’s license numbers. Additionally, credit card numbers for approximately 209,000 customers in the US, and files with personal information from dispute files for approximately 182,000 people were exposed.
The statement added that Equifax identified unauthorised access to “limited personal information for certain UK and Canadian residents,” but didn’t elaborate further. More recently, the company confirmed the breach hit around 400,000 UK customers. The company said it will now work with UK and Canadian regulators to take the next steps and inform those affected, including the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
Following the breach, a spokesperson for ICO said: “It is always a company’s responsibility to identify UK victims and take steps to reduce any harm to consumers. The Information Commissioner’s Office has been pressing the firm to establish the scale of any impact on UK citizens and have also been engaging with relevant US and UK agencies about the nature of the data breach.
“It can take some time to understand the true impact of incidents like this, and we continue to investigate. Members of the public should remain vigilant of any unsolicited emails, texts or calls, even if it appears to be from a company they are familiar with. We also advise that people review their financial statements regularly for any unfamiliar activity.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes,” said chairman and CEO Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
How to protect yourself
In addition to setting up a dedicated website, Equifax said it will directly contact customers who have been affected. It has also contacted an independent cybersecurity firm to assess what happened.
The NCSC said that as it doesn’t appear any password-related data was involved in this breach, it does not recommend UK citizens reset their passwords on other services.
“The main risk to UK citizens affected by this data breach is that they could be on the receiving end of more targeted and realistic phishing messages,” an NCSC statement said. “These phishing messages may be unrelated to Equifax and may use more well-known brands. It is unlikely that any organisations will ask their customers to reset security information or passwords as a result of the Equifax breach, but this may be a tactic employed by criminals.”
Alternatively, the NCSC is warning that fraudsters may also call people pretending to be from other firms, again unlikely to be Equifax as this will immediately raise suspicion. If you receive such a call asking for personal info, don’t give it and hang up if need be. You should then contact the organisation the caller claimed to be from.
For a limited time, Equifax is giving customers free access to their credit reports so they can manage and monitor any unusual activity through its TrustedID Premier tool. This includes five separate tools: copies of your Equifax Credit Report, credit file monitoring and automated alerts of key changes to your Equifax, Experian and TransUnion credit files, it helps you prevent access to your Equifax credit report by outsiders, searches suspicious web sites for a person’s social security number and gives up to $1 million in ID theft insurance.
Equifax has created a guide to help people enroll and activate these features. However, to enroll in this product, you need to hand over your details (to a company which has just admitted it leaked customer details). Given the scale of the breach, the Federal Trade Commission has issued the following advice:
- Check your credit reports for free at annualcreditreport.com. Accounts or activity you don’t recognise could be a sign of identity theft.
- Monitor your credit card and bank accounts for charges you don’t recognise.
- Consider placing a fraud alert on your files.
- Visit IdentityTheft.gov for further advice
Commenting on the breach, Etienne Greeff, CTO and Co-Founder, SecureData described the response as “shambolic.”
“It appears the company is more concerned about its own image than supporting customers and providing transparency on what exactly has happened,” Greef said. “With the GDPR legislation due to come down heavily on companies that neglect to better protect customer data, this should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cybercrime.”
Equifax share price
Following the news of the Equifax breach, shares in the company plummeted, taking a significant hit after hours from $142 down to $124 – a drop of 13.12%. This drop is likely to have been fuelled further by reports about Equifax managers selling shares shortly after the company learnt about the breach.
As reported by Bloomberg, Equifax discovered the data breach on 29 July. On 1 August and 2 August, three executives – CFO John Gamble, Joseph Loughran and Rodolfo Ploder – made $946,374, $584,099 and $250,458 respectively from the sale of their shares, according to SEC documents from August. A statement said these executives had “no knowledge” of the breach at the time they sold their shares.
In addition to this sharp decline, Equifax is now facing litigation. A handful of affected customers has launched a class action lawsuit against the company and is encouraging others to join. Elsewhere, the DoNotPay bot will sue Equifax on your behalf for negligence in small claims court.