Somehow, the worst credit-card-data breach in U.S. history just got worse. Equifax — the credit-reporting company that exposed the sensitive data of over 140 million people earlier this year — took one of its customer help web pages offline earlier today in response to reports that site was infecting visitors’ computers with malware.
The breach was first noticed by Randy Abrams, an independent security analyst that had been visiting the site to flag fraudulent activity on his credit report. According to Ars Technica, the now-deactivated section of Equifax’s website redirected Abrams to the domain hxxp//:centerbluray.info, which tried to dupe him into downloading a fake, malware-ridden Flash update.
Malware-infested links are a common form of online attack, yet they are rarely found on the websites of companies like Equifax. (Much less on web pages specifically designated to help the victims of previous hacks.) Most companies whose primary purpose is to collect and secure highly sensitive (and incredibly lucrative) data invest in, you know, basic security measures. However, since the breach was reported earlier this year, Equifax has proven again and again that it isn’t even capable of that. Reports of this new attack prove that the situation has officially moved beyond being merely embarrassing for the company and suggest that it’s too negligent to even be trusted to clean up its own mess.
In a statement to Ars Technica, an Equifax representative wrote:
We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.
