Equifax Website goes offline

[Lee B]

SAN FRANCISCO — Equifax says its systems were not breached and blamed a third party vendor for running malicious code. 

On Thursday a security analyst reported a link on the Equifax website redirected him to a third-party site that encouraged him to download malware.

"The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content," Equifax said in a statement. "Since we learned of the issue, the vendor’s code was removed from the web page and we have taken the web page offline to conduct further analysis."

Security analyst Randy Abrams said he encountered the malicious link when downloading his credit report. A link on the Equifax site directs users to an announcement that the credit report assistance page is down for maintenance.

Shares dropped as much as 3.5% Thursday.

"This incident should serve as a warning for any website operator to know and control vendor risk in the digital world  – all website code, both first and third party, should be continuously monitored to avoid these scenarios," Chris Olson, CEO of cybersecurity firm The Media Trust said in an emailed statement.

 

Be careful everywhere !

[SaraEA]

You really can't make this stuff up.  This disaster wasn't caught by Equifax but by a user of their website. Lucky it was Abrams, who has a 30-year career in IT security and knew exactly what was happening when the malicious software was downloading.  He went into "professional mode" and tried again 30 times (and the malware attempted to download all 30), taking screenshots and writing up directions for what users should do when this happened.  Equifax's response?  "Out of an abundance of caution" we took that webpage down.  An abundance of caution?  Isn't that what you say when something doesn't appear to be a big or widespread problem but you want to keep your clients happy so are taking action even if the situation doesn't really call for it?  After what just happened to them you'd think their IT would be like Fort Knox by now.  The malware didn't affect the company, just the people going to their site for their free credit report, so what's the problem?

Most decent businesses that have good privacy/security policies in place and actually follow them demand that their vendors have the same or better standards.  Any company that still uses Equifax for credit data obviously doesn't follow this creed.  I recently shopped my insurance and asked a potential insurer what credit reporting agency they used so I could unlock my frozen report for them.  They said Equifax, and I said no dice, I'll try other insurers.  One little problem is that the IRS is using Equifax.  How do I stop doing business with them?

[Catherine]

14 hours ago, SaraEA said:

One little problem is that the IRS is using Equifax.  How do I stop doing business with them?

Ah, *there* is the $64,000 question!  When you find an answer, PLEASE let us all know!

[BulldogTom]

Well, in an abundance of caution on the part of the IRS, they have "temporarily suspended" their no-bid contract with the Equifax.  Did someone read the newspaper finally at the Treasury Department and realize just how stupid they looked?   But I bet Equifax still gets the contract in the long run because the IRS does not have a plan B in place for a different vendor to come in and take over security verification.  I am willing to bet a Vende Fappuccino from Starbucks that the design of the security verification platform at IRS only works with Equifax.

Tom
Modesto, CA

[Catherine]

Sorry, @BulldogTom, but I don't take "sucker bets" ever.  LOL!