Equifax Inc. has taken part of its website offline after an independent security analyst reported that the site apparently had been hacked. He said clicking a link on the site redirected him to a malicious URL urging him to download malware.
Also Thursday, a top Republican congressman introduced a bill that would stop credit reporting companies such as Equifax from using Social Security numbers to verify Americans’ identities.
The potential hack comes a month after Equifax revealed that a data breach exposed the Social Security numbers and birthdates of as many as 145.5 million Americans. That earlier hack took place after Equifax failed for several months to fix a software flaw that federal officials had warned about in March.
Late Wednesday night, security analyst Randy Abrams said in a blog post that while he was trying to download his credit report from the Equifax site, he clicked a link that kicked him to a third-party website with “one of the ubiquitous fake Flash Player Update screens.” His post was first reported by technology news site Ars Technica.
As of Thursday morning, that link instead directs users to an Equifax announcement that the page is down for maintenance.
“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” an Equifax spokesperson said in a statement. “Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”
This wouldn’t be the first time that people trusting Equifax have been sent to a questionable third-party site.
After announcing the massive data breach last month, Equifax set up a website — equifaxsecurity2017.com — to help people determine whether they had been affected. But on multiple occasions, Equifax’s Twitter account instead advised people to go to a different site with a similar URL. That site had been created by an engineer who wanted to show how easy it would be to set up a phishing site that mimicked Equifax’s.
Separately, Rep. Patrick McHenry (R-N.C.) introduced legislation Thursday that would crack down on credit reporting companies. It would require Equifax, Experian and TransUnion to phase out the use of Social Security numbers by 2020.
The legislation also would create a national framework for consumers to freeze access to their credit to prevent identity theft as well as mandating the federal government to create uniform cybersecurity standards for credit reporting companies and conduct onsite examinations.
“The bill I’ve introduced today takes an important first step in providing meaningful reforms to help Americans who have been impacted by this breach,” McHenry said. “It is focused on prevention, protection and prohibition.”
The breach revealed last month, and Equifax’s bungled handling of its aftermath, led to bipartisan outrage. The company’s former chief executive, Richard Smith — who stepped down after the breach was disclosed — was slammed by lawmakers in four congressional hearings last week.
In response to criticism of its efforts to help consumers deal with the breach, Equifax said it would stop charging people to freeze access to their credit records so that no data would be released to scammers. Smith told lawmakers that such free credit freezes should be the industry standard and that the nation should consider replacing Social Security numbers “as the touchstone for identity verification.”
The Trump administration also is looking at reducing the importance of Social Security numbers. Rob Joyce, the White House cybersecurity coordinator, said at a conference last week that the Social Security number “has outlived its usefulness” and that he wanted to find a “modern cryptographic identifier” that would be more secure.
McHenry’s bill is at least the third introduced to impose tougher standards on credit reporting companies. But as a member of the House Republican leadership, he may have the clout to push his proposal through.
The Promoting Responsible Oversight of Transactions and Examinations of Credit Technology, or PROTECT, Act would subject large credit reporting companies to the same federal cybersecurity standards and oversight as banks and other financial institutions, McHenry said.
Shifting away from reliance on Social Security numbers is a key part of the bill. McHenry said he wanted to stop credit reporting companies from relying on the numbers, which he called “the most sensitive of Americans’ personal information.”
12:25 p.m.: This article was updated with information about Equifax’s Twitter account having sent people to an impostor website.
10:25 a.m.: This article was updated with information about an apparent hack of Equifax’s website.
This article was originally published at 9:05 a.m.
Equifax website is apparently hacked – Los Angeles Times