Equifax has been accidentally sending victims looking to verify if they were impacted by its massive data breach to a fake phishing website for nearly two weeks. The embattled credit company disclosed earlier in September that it suffered a massive data breach that saw the theft of valuable personal data of about 143 million Americans.
Since the announcement, Equifax has been directing concerned consumers to a separate website - equifaxsecurity2017.com. This website allows people to determine whether their personal data, including names, birth dates, and Social Security numbers were exposed in the breach.
It also allows users to enrol in Equifax's identity theft protection services and get updates on how the firm is handling the "cybersecurity incident."
For nearly two weeks, however, Equifax's official Twitter account has been directing some users to securityequifax2017.com - a fake, copycat version of its help page created by a concerned software developer, rather than the real response website.
The knockoff website was created by developer Nick Sweeting to expose the dangers of phishing and the vulnerabilities that lie in creating a new, separate website for consumers to use and divulge their personal information. Security experts have voiced concerns over Equifax's separate response website saying it should have hosted the site under its own domain name - Equifax.com - to assure users that they are securely providing their data to the real website and not a fake one.
"As it stands, their site is dangerously easy to impersonate, it only took me 20 minutes to build my clone," Sweeting told Fortune via direct message on Twitter. "I can guarantee there are real malicious phishing versions already out there."
Since 9 September, Equifax mistakenly tweeted out the link to Sweeting's fake phishing site at least eight times. The company has since deleted the tweets.
"All posts using the wrong link have been taken down," Equifax said in a statement. "To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologise for the confusion."
Sweeting added: "I just hope the employee who posted the tweet doesn't get fired, they probably just Google'd for the URL and ended up finding the fake one instead. The real blame lies with the people who originally decided to set the site up badly."
Equifax has drawn fierce criticism since the disclosure over its security practices, its delayed public announcement of the massive intrusion and three executives who reportedly sold shares just days after the firm discovered the breach, but before it was publicly disclosed.
The firm said a months-old Apache Struts server vulnerability was exploited by hackers - a patch for which was made available back in March, more than a month before the cyberattack took place between 13 May through 30 July.
"Equifax's Security organisation was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure," the company said in a statement. "While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing."
The company has been hit with a number of lawsuits and is facing probes led by multiple states, Congress, the FBI and, reportedly, the Justice Department. Two top Equifax executives - the company's chief security officer and chief information officer - announced their immediate retirement last week.