And the hits just keep coming for Equifax, the once-trusted credit-monitoring firm that has been embroiled in one of the biggest corporate public-relations disasters in recent memory since disclosing that hackers had penetrated its cyber security defenses and absconded with sensitive personal and financial data belonging to 143 million Americans. Because of the types of data that were stolen, including drivers’ license, social security and credit-card numbers, experts have described the hack as possibly the most damaging corporate hack yet.
As if this weren’t enough to permanently sully the firm’s reputation (amid cries of “you had one job!”) – the staggering irony of a credit monitoring firm inadvertently divulging the sensitive information that it was supposed to safeguard hasn’t been lost on consumers) a series of subsequent disclosures have portrayed the firm’s executives as bungling, at best, and nefarious, at worst.
In the nearly two weeks since the story broke…
- It was revealed that three of the firm’s executives, including its CFO, cashed out of stocks and options worth some $2 million in the month between when the company first learned about the hack, and when it was disclosed to the public. A federal prosecutor in Atlanta has opened a criminal investigation into Equifax that will focus both on whether the firm was criminally negligent in failing to patch a hole in its cybersecurity systems, as well as whether the suspect stock sales constitute securities fraud.
- The company’s head of cyber security was revealed to have no background in computer science or security – a fact the company tried to hastily cover up by scrubbing her social-media profiles. Susan Mauldin, Equifax’s chief information security officer, has a bachelor’s degree in music composition and a master’s in fine arts from the University of Georgia.
- Several Congressional committees have asked the company to turn over information relating to the hack as multiple investigations appear to be getting under way. The attorneys general of a handful of states, including Massachusetts and Rhode Island, have joined a probe into the company’s handling of the breach.
- The company has been hit with dozens of lawsuits from consumers alleging fraud, abuse and negligence.
- Equifax CEO Rick Smith has been called to testify before a special House panel early next month.
When Equifax first set up a website to allow consumers to check whether their information was compromised, it carried a waiver stating that by using the service consumers would forfeit the right to sue Equifax. The internet quickly exploded in outrage, and the company quickly clarified that the waiver didn’t apply to this hacking incident, which…sure. Now, The Verge, The New York Times and a handful of other media outlets are reporting that Equifax accidentally tweeted the link to an imposter website set up by a white-hat hacker hoping to expose gllaring errors that the firm had made in setting up its verification website. This happened not once, but three times. And in at least one instance, the tweet with the phony link was left up for a whole day.
Here’s The Verge:
“Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.”
Luckily for consumers, the fake site wasn’t malicious. Instead, it was set up by developer Nick Sweeting to try and expose the glaring security vulnerabilities that the company had embedded in its recovery website, which it set up as a separate domain, rather than making it a subdomain of Equifax’s main website.
“Luckily, the alternate URL Equifax sent the victim to isn’t malicious. Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s response page. “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.”
Sweeting says no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer,” so hopefully data entered on his site is relatively safe. Still, Equifax’s team linked out to his page. That isn’t reassuring.”
— Nick Sweeting 🚲 (@thesquashSH) September 20, 2017
Prior to Equifax customer service sharing the imposter site, Sweeting says he emailed the company’s support team and tweeted to Equifax that he spotted a potential vulnerability. By the time the site was taken down, Sweeting says it had received more than 200,000 hits. In the spirit of transparency, Sweeting included a disclaimer on his site warning consumers that it was a fake – and blasting Equifax for its sloppy security practices.
According to the NYT, phishers cannot create a page on the equifax.com domain, so if the website were hosted there instead, it would be easy for users to tell that the page was legitimate.
“Fortunately for the people who clicked, Mr. Sweeting’s website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: “To enroll in complimentary identity theft protection and credit file monitoring, click here.” But a headline in large text differed: “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”
The legitimate Equifax domain was securityequifax2017.com. Sweeting’s was equifaxsecurity2017.com. And as one cybersecurity expert told the NYT, even the legitimate website looks fake because it’s not a subdomain of the larger Equifax site.
“You would think that would be the obvious place to start,” said Rahul Telang, a professor of information systems at Carnegie Mellon University. “Create a subdomain so that if somebody tries to fake it, it becomes immediately obvious.”
The company’s actions, Telang told the NYT, suggest that it had never anticipated or planned for a breach.
This has become clear in the last few weeks. Now, the only thing left to be decided is whether the fact that the company was almost comically unprepared for a hack rises to the level of criminal negligence.