Equifax tweeted the wrong data breach URL after an imposter site appeared

Equifax created a separate breach notification website at www.equifaxsecurity2017.com to help consumers determine whether they were affected by the data breach that the organization publicly announced on September 7, and what to do if they were.

The website was separate from and not hosted on its secured, trusted website. To prove how vulnerable Equifax left itself, a software engineer named Nick Sweeting created a fake website at http://securityequifax2017.com (the website has since been taken down).

Equifax accidently tweeted links to the fake website eight times beginning on September 9, until Chrome, Firefox and Safari blacklisted the site. Sweeting took it down, but not before getting 200,000 hits.

Equifax data breach cybersecurity

Tim Sweeney’s imitation Equifax data breach site.

Cyber criminals generally create fake websites for phishing scams, but Sweeting wanted to demonstrate Equifax’s weak information security measures, which once again left customers’ private data vulnerable to a breach.

In an email to the New York Times, Sweeting said: “Their site is dangerously easy to impersonate. It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there.” Sweeting also said that no personal information was collected through the mock fill-out forms.

Equifax data breach

Image courtesy of Last Week Tonight with John Oliver

Sweeting described how currently anyone can use the Linux command “wget” to obtain images, HTML, CSS, etc., making sites easy to duplicate. Like other cybersecurity advocates, he wants Equifax to take extra precautionary measures, such as changing the site domain name. Equifax accidently tweeted links to the fake website publicly eight times beginning on September 9 until Chrome, Firefox and Safari blacklisted the site. Sweeting took it down, but not until receiving 200,000 hits.

Although Equifax stated that it is tightening its cybersecurity measures, political commentator John Oliver, along with HBO-produced Last Week Tonight, are challenging the company to tighten its security controls – sooner rather than later. On Friday, October 15, Last Week Tonight bought the web domain https://equifaxfraudprevention.com/, which it advertised on Oliver’s latest episode. The links in the screenshot below lead to credit report agency service freeze sites.

Protect your organization from cyber crime

Each organization that processes personal data has a responsibility to protect this information and the systems that maintain it.

Equifax is behaving irresponsibly with the information it maintains and has come under public scrutiny. The organization has endured stock price drops and may face fines, which are just two of the many negative outcomes for not protecting consumer data.

Several states combine their own cybersecurity laws with data breach notification laws. Regulating these laws is a patchwork of industry-specific federal laws and state legislation with varying scope and jurisdiction. Organizations that do business across the US and internationally must consider these laws and those in other nations.

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will be enforced. That means any organization that processes the personal data of EU residents will be affected.

GDPR non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million ($23.5 million) – whichever is greater. Deploying an information security management system (ISMS) will help to achieve compliance, providing a systematic approach to managing confidential or sensitive company information so that it remains secure – namely available, confidential, and uncorrupted.

ISO 27001 is the international standard for applying an ISMS. Implementing an ISO 27001-accredited ISMS demonstrates your dedication to protecting consumer data and will help to ensure you remain in compliance with the GDPR.

IT Governance has managed ISO 27001 implementations since the inception of the Standard and led the world’s first ISO 27001 certification project.

No matter the size of your organization, consider our consultancy, toolkits, cybersecurity training, staff awareness training, and DIY packages.