Equifax, the firm beleaguered by a record hack which compromised millions of sensitive, personal details (multi-nationally) has made yet another world-class slip-up.
Wrong URL Tweeted
Further to the recent revelations that over 143 million people had been compromised (potentially 44 million+ in the UK alone), it appears that their staff mistakenly tweeted an incorrect web address, causing people to be sent to a false website which could have had disastrous consequences.
In the wake of the controversy about the company keeping quiet for weeks before the issue was made public (compounded by key-executive shareholders selling their shares before the news went out), this momentous gaffe has only added fuel to the flames. The share price dropped from 142.72 points on Thursday 7th September when the announcement was made, to 92.98 on Friday the following week.
A separate website, namely a micro-site with address equifaxsecurity2017.com was hastily constructed after the hack, with the purpose of allowing people to find out more information about this specific incident. Additionally, visitors are supposed to be able to find out if they were part of the original hack, which required that they entered their private details to be checked.
Beware Online Forms
As well as pertinent information about the breach, the micro-site also contains an enrolment form, which naturally requires visitors to enter private information.
The domain name in question, equifaxsecurity2017.com, is separate from the main domain of equifax.com and therefore people are either naturally skeptical of it or - more worryingly - don't know that this could easily be a spoofed website which is what one software engineer created, within minutes.
"Yeah... no thanks... it would take me literally 20 mins to build a clone of this site." tweeted Nick Sweeting ... and then he went on to do exactly that. He setup the similar-sounding website securityequifax2017.com very quickly and then made people aware of it via Twitter.
In this instance, the site simply told visitors who had completed the spoofed form that they'd been "bamboozled", just to highlight the issue. Nick Sweeting was not out to maliciously attack anyone, merely point out the flaws.
The problem started when Equifax staff themselves mistakenly shared the wrong website (i.e. the spoof site) on their Twitter feed, causing chaos which lasted over a week.
Security commentators have been less than complimentary about the debacle, although Equifax have now stated they've removed all the incorrect URL's from their feed.
How Does This Affect Your Business?
This story shows the importance of ensuring you declare any known data-breaches at the earliest opportunity (which you are legally obliged to do) and then handling the inevitable fall-out as quickly and professionally as possible to limit the damage.
It can be difficult to spot a fake website, so here's a few things you can look out for :