If you haven’t heard the particulars on the Equifax debacle, let me fill you in. There is a lesson to be learned for every business or institution possessing sensitive information.
You may remember that the credit agency had a very serious hack in May or June of 2017. This hack affected over 143 million Americans and was first discovered by Equifax on July 29. It was early September before the company revealed this data breach, one of the worst ever, to its customers.
Here’s where things get really phishy (sorry, couldn’t resist the pun).
Equifax created equifaxsecurity2017.com, a website designed to address customer questions and concerns over the breach. Nick Sweeting, a software engineer, quickly saw a flaw and exploited it. He created an imitation site that looked nearly identical sans one detail (which we’ll get to in a little bit). This was easily accomplished with the help of a Linux command that enables one to download the contents and copy a website.
Wait. It gets much worse. Posts from Equifax’s twitter account directed people to Sweeting’s version of the site instead of the real one. The look of the site was nearly identical to that of the Equifax page with an identical prompt to enroll for complementary protection.
Fortunately, Sweeting’s page included one addition, a headline pointing out that Equifax used a domain that was easily impersonated. Eventually, the site was blacklisted. However, there were reportedly over 200,000 hits to the fake Equifax landing page before this action was taken.
Where Did Equifax’s Cyber Security Measures Go So Wrong?
The sad truth is that Equifax made a beginner’s mistake. When Equifax created their website, they did not use a sub domain but rather an entirely different URl. This makes their website very easy to impersonate. Only Equifax has access to an equifax.com subdomain. Had they used a subdomain such as security.equifax.com for example, visitors would have easily been able to determine the legitimacy of the web address.
The fact that his could happen to a credit agency is amazing, given the current cyber security threats and trends. You see, this wasn’t only a case of lax cyber security protocol. It’s readily apparent that one part of the organization had no idea what the other part was doing. This sort of thing happens every day in small companies as well as large businesses such as Equifax. If no one entity is responsible for all facets of your internet presence, it opens up additional opportunities for exploitation.
Why Use a Multi-Disciplined IT Firm?
At Beacon, we take your security seriously. But it’s not only what we do. Professionals in IT, web design, social media and digital marketing come together to ensure your site’s safe so you can build your online business. When a single team oversees all of your online activity, one hand knows what the other is doing. These kinds of mistakes simply don’t happen.
Get a free website security assessment or contact us at 336.447.3473 with any questions regarding your businesses’ cyber security needs. I’d like to help you avoid the kind of mistakes that can take down an otherwise sound business such as Equifax.