Equifax, the embattled credit reporting company, was under pressure in Thursday (Oct. 12) trading after rumors began to circulate about a potential new data breach.
Those rumors (see update below) turned out to be largely incorrect — but news reports on CNBC indicated that Equifax had said it removed its customer help page and was investigating another possible cyberattack.
The new cybersecurity inquiry comes just weeks after disclosing it was hacked, leaving 145.5 million customers’ personal data vulnerable to cybercriminals. The data breach also included 209,000 credit account numbers.
“We are aware of the situation,” a spokesman told CNBC. “Our IT and security teams are looking into this matter and, out of an abundance of caution, have temporarily taken this page offline.”
The report noted the problem originated from a credit report assistance link on the company’s website. According to CNBC, an independent security analyst informed Ars Technica on Wednesday (Oct. 11) that there was a problem with Equifax’s website. Visitors were apparently being redirected to a fake software update.
Ever since Equifax disclosed its massive data leak, the company has been under fire for its cybersecurity protections. Last week, The Wall Street Journal reported that financial company MSCI had warned Equifax a year before its massive data breach that there were signs it wasn’t adequately protecting the data of its millions of customers.
According to a news report in the WSJ, MSCI reported in August of last year that Equifax wasn’t equipped for the “increasing frequency and sophistication of data breaches.” After poring over Equifax’s records, the company said it found zero evidence that the credit scoring company conducted regular cybersecurity audits or provided training to employees on identity risks, nor did they have any emergency plans to handle a data breach or leak.
What’s more, MSCI scored a zero for the privacy and security of consumers’ data. Due to cybersecurity concerns, MSCI removed Equifax from its stock indices, which evaluate companies based on environmental, social and governance criteria.
Equifax, as of later reports on Thursday, clarified that it had not been breached, but that one of its third-party vendors had been running malicious code on one its web pages — but the credit reporting agency was not breached again. They noted that the affected site was taken down “out of an abundance of caution” following a report by the technology news website Ars Technica that the company’s website may have been hacked.
“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” spokeswoman Francesca De Girolami said in a statement on Thursday. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.”
The company said it has removed the vendor’s code from the webpage, which was taken offline for further study.