After the huge data hack suffered by Equifax you would think that the credit checking company would be extra careful, but it seems the message hasn’t hit home.
Following the news of the hack that affected the private data of over 140 million people being published on September 7, more than a month after it was discovered, Equifax set up a website for worried customers to check if they had been affected – equifaxsecurity2017.com – rather than setting it up on the equifax.com domain.
Just as a fun way to test it out, security researcher Nick Sweeting set up securityequifax2017.com with a familiar look and feel, just like phishers do every day.
To make it very clear that it was a joke, he put a headline on the fake website, saying: ‘Cybersecurity Incident & Important Consumer Information which is Totally Fake, why did Equifax use a domain that’s so easily impersonated by phishing sites?’
The statement wasn’t enough to alert Equifax social media staff however. Soon after setting up the website, Equifax’s official Twitter feed started to link to Sweeting’s fake page and in a series of posts dating from September 9, somebody called Tim on Equifax’s social media team began tweeting out the wrong URL to customers concerned about their data.
The tweets – which have now been removed – continued until Sept 18 before they were spotted on Twitter. It’s not known how many people were directed to the site, and it has since been blocked by Google.
It is yet another embarrassing episode in the company’s recent history, and hardly installs confidence in their ability to ensure that their customer’s data is safe.
It seems that the original hack itself was only possible because the company had left an Apache Struts flaw unpatched for months.
You would hope that Equifax would have learnt their lesson and be ultra-careful to check everything now. Or maybe not.