Over the past month, Atlanta-based credit rating agency Equifax tweeted links to a fake website that looked similar to its own.
It’s the latest in a series of missteps following the announcement in early September that the personal information of more than 143 million people -- like credit card and Social Security numbers -- was exposed in a cyberattack.
It was followed closely by news that came out about several Equifax executives selling their stocks in the company around the time the breach was made public.
The website equifaxsecurity2017.com was set up by the company for people to check if their information may have been impacted by entering their name and part of their Social Security number so they could then sign up for credit-monitoring services.
Colombia-based software engineer Nick Sweeting said he switched the first two words around to create securityequifax2017.com for just $15. He said more than 200,000 people clicked on it before he took it down Wednesday. Partly because Equifax promoted the fake website on Twitter.
“I was honestly not that surprised when someone showed me the mistweet. It's just another mistake in a long line of horrendous security blunders they've made,” Sweeting said. “I was slightly more surprised when I learned that they tweeted the wrong link over eight times.”
He said he took his website down Wednesday evening and added it’s hard for people to trust and authenticate equifaxsecurity2017.com because it’s a different domain than equifax.com, which he said makes it easy for people like him to impersonate.
“My fake site is not malicious in any way. It loads over https, and I've disabled the eligibility form so that no information typed in gets sent anywhere or saved in any way,” Sweeting said. “It's in everyone's interest to get Equifax to change this site to a reputable domain. I knew it would only cost me $15 to set up a site that would get people to notice, so I just did it. Their site is dangerously easy to impersonate. It only took me 20 minutes to build my clone. I can guarantee there are real malicious phishing versions already out there.”
Georgia State marketing professor Vi Kumar has helped companies recover from crises and said the company needs to slow down and think through each and every move. He said it needs to first convince its employees to understanding it’s doing everything it can to fix the issue, before it works on the bigger task of helping customers regain trust in the company.
"Sometimes when we’re in a state of shock, we become very vulnerable. Even the employees would be worried about their jobs. Once the employees get the confidence, then they can also spread the word of mouth that they believe in it,” Kumar said. “I think they should not be in a rush to find a quick fix and that's what happened with the wrong link being tweeted."
In a statement Thursday, Equifax said all posts using the wrong link were taken down.
“We apologize for the confusion. Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com, and our company homepage is www.equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages.”
Humayun Zafar teaches information security at Kennesaw State University. He said phishing campaigns are a tactic used to impersonate legitimate groups in order to steal personal information and financial account credentials.
"It's very rare for the entity that’s been phished to actually tweet those things,” Zafar said. “That's probably the worst thing they could possibly do. I think it's been a public relations nightmare for these guys."
He said at this point, it's going to take Equifax a long time to regain the public's trust.
This is just the latest fumble by Equifax, which faces multiple class-action lawsuits, including one filed in federal court by former Georgia Gov. Roy Barnes.
The company has more than 2,000 employees in Atlanta.