CREDIT SCORE CRETIN Equifax has pulled a section of its customer services web pages offline after it was reported that it was leaking customer information, but has excused itself by citing a third-party supplier as the problem.
We reported on the second problem at Equifax earlier this week thanks to security chap Randy Abrams, who found that some of the company's pages included a fake Flash update that did something worse than installing a Flash update.
In a statement, Equifax said that no systems had been compromised, but didn't say whether any credit rating seekers had. It did say, however, that none of this was its fault.
"The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content," it said. "Since we learned of the issue, the vendor's code was removed from the web page and we have taken the web page offline to conduct further analysis."
Equifax has handled the hack fallout badly, and its response has been to set up a new website for concerned punters to go to. However its Twitter people chose to occasionally send people to the wrong site, a site that a security researcher set up to look into phishing.
Of course, by this time we knew that Equifax caused the original problem by not updating Apache Struts when it had the chance.
Randy Abrams, which is a great name, seemed rather reluctant to pour more troubles on the firm, but this is his job after all and while he may not take pleasure in it is probably something that Equifax users need to know about, not to mention Equifax itself.
"I'm really not trying to kick Equifax while they are down. There are already 150 million other people doing that. I just sort of tripped over them," he wrote.
"I like Equifax more than Experian. TrustedID gave me the heads up that Experian had falsified personal information in my file. After verifying that Experian did in fact falsify the data (it was due to incompetence and apathy) I decided to see if the misinformation had propagated to Equifax.
"As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL. The URL brought up one of the ubiquitous fake Flash Player Update screens."
Equifax is down. It had to admit to a significant breach recently that affected some 145.5m punters due to an old Apache flaw that it should have patched ages ago. Along with losing the personal details of almost half of the US population, the firm's CEO took the opportunity to retire.
"I'm indebted to the 10,000 Equifax employees who have dedicated their lives to making this a better company," said Richard Smith after a dozen years of service.
"The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."
Nothing like a major disruption after a major disruption to move a company forward. As Abrams said, "Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash". µ
But don't expect laptop prices
Vulnerability targets hardware created by Infineon Technologies
Expect something commercial in 2019
Ex-employees say bugs were stolen and used in future attacks