Already in the midst of the worst year ever for a credit-reporting agency, Equifax said Thursday that it was the victim of another cyberattack, this time involving a fake Flash downloader that greeted some people on its website.
The new data breach was first reported by the tech site Ars Technica, tipped off by an independent security analyst who purportedly went to Equifax.com and was redirected to another site when prompted to install the Flash application.
The security analyst, identified as Randy Abrams, accessed Equifax’s website to report some false information on his credit report, according to Ars Technica.
Equifax hacked again, company stock price plummets
On Thursday, an Equifax spokesman told the news website Mic.com that the company’s website was hacked and that its IT team had taken down the suspect webpage.
“We are aware of the situation identified on the Equifax.com website in the credit report assistance link,” the Equifax spokesman told Mic. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”
The latest hack comes more than a month after the Atlanta-based company announced a massive data breach that has affected as many as 145.5 million people.
Equifax’s stock plunged at the news of the latest breach, a Wall Street Journal reporter noted on Twitter.
The repeated hacks at Equifax — and company’s inability to stop them — has shaken consumer confidence in one of the country’s main credit-reporting agencies and led to calls for class-action lawsuits in several states.
With the new information we know on the Equifax data breach, here’s a timeline:
- August 2016: MSCI warns Equifax of vulnerability to data breach
- March 2017: Agency learns that hackers broke into their computer system
- July 29, 2017: Equifax’s Security team observes “suspicious network traffic” associated with its online web portal and blocks it
- August 2, 2017: Equifax hires Mandiant, a cybersecurity firm, to investigate the hack and find out what was exposed
- September 7, 2017: Company announces that “criminals” exposed as many as 143 million people to identity fraud
- September 26, 2017: The Board of Equifax announces that Richard Smith is out as Chairman/CEO effectively immediately
- October 2, 2017: Mandiant’s concluded investigation shows that an additional 2.5 million U.S. consumers were potentially impacted, bringing the total exposed in the hack to 145.5 million
- October 12, 2017: Equifax confirms it was hacked again, this time with a fake Flash installer application. The company is investigating the attack to learn more
What personal information was stolen in the hack?
The September 7 hack was a biggie: Criminals were able to gain access to names, Social Security numbers, birth dates and addresses. In many cases, even more personal data was exposed, including driver’s license and credit card numbers.
Anyone impacted by the breach is now at risk of identity theft and fraud — as any piece of this personal information can be used by, or sold to, criminals who can use it to open credit cards, take out loans, make purchases in your name — or even drain your bank accounts.
Money expert Clark Howard says rather than waiting on Equifax to get itself together, consumers should be proactive and do what they can to protect themselves from identity fraud. Here is what he recommends:
Take these 2 steps to help protect your identity
1. Sign up for Credit Karma’s free credit monitoring: Go to CreditKarma.com to sign up for an account. Not only is the service free, but Credit Karma lets you access your credit scores and reports without charge as many times as you like.
2. Freeze your credit with all three main credit bureaus: Clark says even if your personal info was not exposed by the Equifax data breach, you should still freeze your credit to protect yourself and your money.