Equifax says it was not breached again, but vendor on site served ‘malicious content’.
Equifax says its systems may not have been breached again, but blamed a third party vendor for running malicious code. On Thursday a security analyst reported a link on the Equifax website redirected him to a third-party site that encouraged him to download malware.
Equifax said in a statement “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content”. “Since we learned of the issue, the vendor’s code was removed from the web page and we have taken the web page offline to conduct further analysis.”
Security analyst Randy Abrams said he encountered the malicious link when downloading his credit report. A link on the Equifax site directs users to an announcement that the credit report assistance page is down for maintenance.
Shares dropped as much as 3.5% Thursday.
“This incident should serve as a warning for any website operator to know and control vendor risk in the digital world – all website code, both first and third party, should be continuously monitored to avoid these scenarios,” Chris Olson, CEO of cyber security firm The Media Trust said in an emailed statement.
The malware security violation , comes a month after Equifax disclosed that a massive data breach exposed the Social Security numbers and birth-dates of as many as 145.5 million Americans. Last week Equifax disclosed that hackers may have stolen the personal information of 2.5 million more U.S. consumers than it initially estimated. The company said the additional customers were not victims of a new attack but rather victims who the company had not counted before.