USA TODAY US Edition

More trouble strikes Equifax

Link put some at risk of ‘malicious content,’ the company says

Link on its website put some at malware risk

Equifax says its systems were not breached and blamed a third-party vendor for running malicious code.

On Thursday, a security analyst reported that a link on the Equifax website redirected him to a third-party site that encouraged him to download malware.

“The issue involves a third-par- ty vendor that Equifax uses to collect website performanc­e data, and that vendor’s code running on an Equifax website was serving malicious content,” Equifax said in a statement. “Since we learned of the issue, the vendor’s code was removed from the Web page, and we have taken the Web page offline to conduct further analysis.”

Security analyst Randy Abrams said he encountere­d the malicious link when downloadin­g his credit report. A link on the Equifax site directs users to an announceme­nt that the credit report assistance page is down for maintenanc­e.

Shares dropped as much as

3.5% Thursday.

“This incident should serve as a warning for any website operator to know and control vendor risk in the digital world — all website code, both first and third party, should be continuous­ly monitored to avoid these scenarios,” Chris Olson, CEO of cybersecur­ity firm The Media Trust, said in an emailed statement.

The malware, first reported by tech news site Ars Technica, comes a month after Equifax disclosed that a massive data breach exposed the Social Security numbers and birth dates of as many as 145.5 million Americans.

Last week Equifax disclosed that hackers may have stolen the personal informatio­n of 2.5 million more U.S. consumers than it initially estimated.

The company said the additional customers were not victims of a new attack but rather victims who the company had not counted before. The breach and, even more so, Equifax’s handling of it angered lawmakers.

The Equifax website and the call centers it establishe­d to serve customers faltered. Many consumers faced error messages on the website and couldn’t reach anyone at Equifax by phone.

The company’s former chief executive, Richard Smith, who was forced into retirement after the breach was disclosed, was criticized by lawmakers in four congressio­nal hearings last week. A few times, he visibly flinched as he was grilled over the hack that was first made public Sept. 7.

Smith said the hack was possible because someone in Equifax’s security department didn’t patch a flaw. A scan performed later to check that the patch had been implemente­d failed to detect that it hadn’t, he told lawmakers.

Rep. Patrick McHenry, R-N.C., introduced legislatio­n Thursday that would require credit-reporting companies such as Equifax to stop using Social Security numbers to verify people’s identities by 2020. The legislatio­n would also force credit-reporting companies to submit to regular cybersecur­ity reviews.