Equifax breach, round two: The firm confirms it may have been targeted in another cyberattack

Equifax breach, round two: The firm confirms it may have been targeted in another cyberattack
Equifax announced it was the target of another cybersecurity incident on Thursday, going so far as to shut down parts of its website. Mike Stewart/AP
Equifax announced it was the target of another cybersecurity incident on Thursday, going so far as to shut down parts of its website. Mike Stewart/AP

Equifax has experienced another cybersecurity incident, according to the company website, which reports suggest relate to questionable link redirects that appeared on part of the firm’s website. As of 5:00 p.m. Eastern Thursday, the company was not offering any of its usual subscription products for sale online, with the exception of TrustedID Premier, a free offering the company rolled out as amends after the company accidentally leaked the personal information of more than 145 million people.

“Due to the cybersecurity incident, we are offering all U.S. consumers identity theft protection and credit file monitoring through TrustedID Premier,” the company website reads. “No other subscription products are available for purchase at this time.”

The incident, which Equifax later clarified in a statement involved a third-party-vendor, was identified by a malware researcher who passed the news to the technology publication Ars Technica. As the publication explains, the researcher happened to be logging in to contest a charge on his credit report, when he found pop-up links to fake Adobe Flash updates that he believed were an attempt to install some sort of malware.

Equifax is reporting another cybersecurity incident on its site, though its unclear how many people were affected, if any.
Equifax is reporting another cybersecurity incident on its site, though its unclear how many people were affected, if any. Mic /Equifax

“Despite early media reports, Equifax can confirm that its systems were not compromised,” said an Equifax spokesman in an email to Mic. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”

The spokesman didn’t immediately respond to questions about when the site would be operational again, but unless you downloaded one of the links it’s unclear how the hackers would have been able to install any malware onto your computer.

If your data may have been compromised and you have not already, you might consider freezing your credit: Here is a guide on how to prevent new lines of credit from being opened up with any of the major bureaus. Other tips? Double down on any ongoing efforts to protect your online identity; for instance by installing two-factor authentication and maintaining rigorous passwords.

Equifax has so far leaked a great deal of the personal information a thief would need to open up new credit cards or even take out car loans in your name. On Oct. 10, the Wall Street Journal reported that the first breach included the driver’s license numbers of almost 11 million Americans.

The price of Equifax stock plummeted Thursday morning, as the Wall Street Journal’s Henry Williams noted on Twitter, though the stock had recovered a bit to about $109 per share by the time markets closed at 4:30 p.m. Eastern.

The company has faced a steady barrage of criticism over the handling of the leak: Many of the highest-level employees at the company including former CEO Richard Smith, as well as the company’s chief information officer and chief security officer, have all left the company since the hack.

Making matters worse, a Bloomberg report later found that three senior executives had sold their company stock after the leak was identified but before it went public, though the company denied any wrongdoing.

The company has unsurprisingly become a major target for consumer advocates, particularly Ron Lieber, a longtime personal finance columnist for the New York Times who has taken to live-Tweeting his interactions with Equifax customer service. On Wednesday Lieber confirmed yet another consumer complaint: Customers who froze their credit with Equifax have been unable to unfreeze it when applying for legitimate loans. When news of the latest attack broke, Lieber Tweeted that he was “out of words.”

“This is a forever thing,” said Matt Schultz, senior analyst with CreditCards.com, in an email to Mic. “Don’t assume that you’re safe just because your information hasn’t yet been used fraudulently.”

All this outrage has started to move the needle with lawmakers. On Thursday, the Wall Street Journal reported that Rep. Patrick McHenry of North Carolina planned to introduce a bill that would require all three of the credit bureaus to agree to be subject to cybersecurity reviews and stop maintaining their customers’ social security numbers.

Thursday, October 12, 5:00 p.m.: This story has been updated to include a more recent statement from Equifax.

Sign up for the Payoff — your weekly crash course on how to live your best financial life.