Well that's embarrassing. Equifax mistakenly sent people looking for more information about its recent data breach, which compromised the private data of 143 million Americans, to a mock website that could have stolen the last six digits of their Social Security numbers and other sensitive info.
When it revealed the data breach, Equifax set up a website dedicated to helping people find out if their information was affected by the hack and what they can do to protect themselves if they were. That site--the real one--resides at "equifaxsecurity2017.com." The mock site, which featured a similar design, bore the URL "securityequifax2017.com." You might think those URLs are different enough for people to notice. You would be wrong.
The addresses were apparently similar enough to fool several Equifax employees who shared links to the mock website on Twitter. To be clear: The employees who are supposed to help people respond to one of the most devastating breaches in history shared a link to a fake website that asked for sensitive information. People could have compromised their personal data simply by trying to find out if they were affected by the hack.
Here's the good news: The person who claims to have set up the website merely wanted to highlight the mistakes Equifax made when it set up its own site. Instead of presenting information related to the breach on its main site, the company set up a dedicated page with an easily spoofed URL its own employees couldn't keep straight. Even more concerning is the fact that this is just another notch on the company's belt of mistakes.
The problems started when Equifax failed to patch a known vulnerability in Apache Struts, months after its release. Then, it took the company several days to disclose the breach, during which time some executives sold off stock in what Equifax said was an unrelated incident. Next it was revealed that the company secured an Argentinian web portal with the astoundingly insecure username / password combination of "admin / admin."
In the meantime, Equifax was criticized for its TrustedID Premier service that required people to waive their right to sue the company in exchange for identity theft and fraud protection. Equifax changed those terms after public outcry, but other problems with the service, such as the fact that people will have to pay for it after just one year of using it, remain. (Again, this information won't expire in a year, so Equifax's offering is a stall at best.)
The other good news is that Google Chrome now flags the mock website as deceptive, so it should be harder for people to submit portions of their Social Security numbers to an illegitimate site. Equifax's breach also prompted Democratic senators to introduce the Data Broker Accountability and Transparency Act, which aims to hold data brokers accountable for securing the information they store, especially since few people have a say in whether or not their personal data is vacuumed up by these companies and sold to other businesses without their knowledge or consent.
It's worth reiterating that if people escape this incident unscathed it will be despite, not because of, Equifax. The company failed to take basic security precautions at every step of this episode, including by using weak username / password combinations, not installing patches to critical vulnerabilities, and seeing employees sharing links to malicious websites on Twitter, and its failings are as indefensible as they are harmful.