Equifax says code ‘was serv­ing ma­li­cious con­tent’

Houston Chronicle - - BUSINESS - By Jim Puzzanghera and Lau­ren Raab

WASH­ING­TON — Equifax took part of its web­site off­line Thurs­day af­ter code on the site redi­rected users to a ma­li­cious URL urg­ing them to down­load mal­ware.

Also Thurs­day, a top Repub­li­can con­gress­man in­tro­duced a bill that would stop credit re­port­ing com­pa­nies such as Equifax from us­ing So­cial Se­cu­rity num­bers to ver­ify Amer­i­cans’ iden­ti­ties.

The moves come a month af­ter Equifax re­vealed that a data breach ex­posed the So­cial Se­cu­rity num­bers and birth­dates of as many as 145.5 mil­lion Amer­i­cans. That hack took place af­ter Equifax failed for sev­eral months to fix a soft­ware flaw that fed­eral of­fi­cials had warned about in March.

Late Wed­nes­day night, in­de­pen­dent se­cu­rity an­a­lyst Randy Abrams said in a blog post that while he was try­ing to down­load his credit re­port from the Equifax site, he clicked a link that kicked him to a third-party web­site with “one of the ubiq­ui­tous fake Flash Player Up­date screens.” His post was first re­ported by tech­nol­ogy news site Ars Tech­nica.

Third party

Equifax said Thurs­day that the prob­lem stemmed from code pro­vided by a third party.

“The is­sue in­volves a third-party ven­dor that Equifax uses to col­lect web­site per­for­mance data, and that ven­dor’s code run­ning on an Equifax web­site was serv­ing ma­li­cious con­tent,” the com­pany said in a state­ment. “Since we learned of the is­sue, the ven­dor’s code was re­moved from the web­page and we have taken the web­page off­line to con­duct fur­ther anal­y­sis.”

‘Not com­pro­mised’

Equifax em­pha­sized that its “sys­tems were not com­pro­mised” and said that de­spite early re­ports, the prob­lem “did not af­fect our con­sumer on­line dis­pute por­tal.”

Its spokes­peo­ple did not an­swer ques­tions about when the com­pany learned of the prob­lem or how many web­site vis­i­tors clicked the link.

Ev­ery­one uses third­party code, said Jeff Wil­liams, chief tech­nol­ogy of­fi­cer and co-founder of Con­trast Se­cu­rity. How­ever, he said in a state­ment, do­ing so “cre­ates an obli­ga­tion to an­a­lyze for vul­ner­a­bil­i­ties con­tin­u­ously and re­spond to new vul­ner­a­bil­i­ties/at­tacks within hours.”

Sep­a­rately, Rep. Pa­trick McHenry, R-N.C., in­tro­duced leg­is­la­tion Thurs­day that would crack down on credit re­port­ing com­pa­nies. It would re­quire Equifax, Ex­pe­rian and Tran­sUnion to phase out the use of So­cial Se­cu­rity num­bers by 2020.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.