Equifax says systems were not compromised by malicious web page links


(Justin Lane/European Pressphoto Agency-EFE)

Equifax said Thursday that its systems were not compromised, after they looked into a report by an independent researcher that one of the company’s credit assistance pages contained malicious links.

“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” a spokesperson for the credit reporting agency said in a statement. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”

Earlier on Thursday, Ars Technica reported that security analyst Randy Abrams was prompted to download fraudulent Adobe Flash updates when he visited the Equifax website to contest his credit report. Abrams determined that when those updates were clicked, adware would infect a visitor’s computer. Abrams also encountered those links during at least three subsequent visits, according to Ars Technica.

The Web page in question allowed people to access information under the “Credit Report Assistance” heading.

The possibility of another malicious hack at Equifax comes just a week after the company’s former chief executive, Richard Smith, was grilled by angry lawmakers over a massive data breach that may have compromised the sensitive information of as many as 145 million people. Equifax first disclosed that breach in September. But lawmakers and several federal agencies, including the FBI and the Federal Trade Commission, are investigating the company’s response to the breach, why it took Equifax more than a month to notify the public and whether executives engaged in insider trading.

Equifax and the Internal Revenue Service also are facing pressure from lawmakers over a $7.2 million contract that Equifax was awarded, after the breach was made public, for the company to verify taxpayer identities and help prevent fraud.