- Equifax's cybersecurity woes continue after a third-party security firm found malicious actors on the credit bureau's website, as first reported by Ars Technica. The attack occurred over several hours on Wednesday and again on Thursday morning. Hackers controlled the site and directed users to install fake Adobe Flash updates which would in turn grant access for infection. The adware was only detectable by three of 65 antivirus providers, including Symantec, Panda and Webroot, according to the report.
- The code behind the adware was determined to be "obfuscated" with abilities to "conceal itself from reverse engineering." Independent assessments of the fraudulent Adobe Flash update alluded to the possibility that a third-party ad network Equifax used could be to blame. If this is the case, the ad network could sabotage other sites too.
- Equifax quickly suspended the third-party content. The company says the site is up and operational, reports ZDNet. Although Equifax claims it is not the victim of a second cybersecurity breach, the IRS did temporarily halt some services stemming from its $7.2 million controversial contract with Equifax.
Equifax just can't seem to get out of its way. The confidence boost from landing the IRS contract suddenly seems flat in light of Thursday's events.
The latest development comes about a week after former CEO, Richard Smith, testified before the House Energy and Commerce Committee. Equifax is facing financial, legal and ethical backlash after its disclosure of a data breach that left 145.5 million consumers vulnerable, previously reported at 143 million people.
Criticisms of how the breach was handled only mounted after revelations started to emerge. Equifax learned of the breach in late July, and top executives soon after sold off $1.8 million in company shares, and the firm disclosed the breach to the public in early September. Hackers infiltrated Equifax's system through a web application vulnerability, which had an available patch three months prior to the infection that Equifax ignored.
Top executives including the CIO, CSO and CEO have left the firm, but Congress chastised Smith not only for the handling of data but also for collecting information that is "way beyond what you need to determine if [someone]'s creditworthy." Investigations continue for Equifax, but more reports on the firm's disorganized and absent cybersecurity protocols raise deeper concerns.