Technologist - The FindLaw Legal Technology Blog

Equifax Accidentally Sent Breach Victims to Fake Scam Site

While corporate data breaches and hacks are becoming regular occurrences, rarely, if ever, do companies make errors in the aftermath as bad as Equifax did in the wake of the recent hack of their database. The major credit reporting company actually sent individuals concerned that their info was stolen in the hack to a fake scam website.

Luckily for Equifax, and the public, the scam website was not really scamming anyone, and was not actually built by a hacker or scammer, but rather a rogue do-gooder and programmer who is fed up with poor corporate cybersecurity.

How Did This Happen?

After the hack, Equifax set up a website with the url www.EquifaxSecurity2017.com. At almost the same time, Nick Sweeting, an altruistic programmer, set up a website with the url www.SecurityEquifax2017.com. Sweeting had no ill-intent, or designs to deceive the public. At the top of his page, the header clearly read:

Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?

Sweeting's purpose for setting up the fake site was to teach Equifax and other companies a lesson in cybersecurity (as well as help teach the public about how easy it is to get duped by phishing sites). The fact that Equifax themselves was sending people to the fake website only served to illustrate how dangerous, and ill conceived, was Equifax's special security information website. Equifax tweeted the link to Sweeting's site several times. Sweeting's site got nearly 200,000 hits before he took it offline. He has made assurances that no personal data was captured by the website, however, noted that if he spent two more minutes on building the site, it could have been incredibly malicious.

One Dot Com to Rule Them All

As Sweeting explained, Equifax should not have set up a new domain to distribute information about the hack as it opened them up to being spoofed. Rather, he recommends that the information should have just been on the www.Equifax.com domain.

This lesson is one that any company can and should learn thanks to Sweeting's altruistic waste of $15 and some time. If you've spent time and money building your domain, and building consumer confidence in your domain, don't risk it by sending users to a different domain, especially one that is so easily spoofable, and very especially after suffering a serious security breach. Hacking is not a "gentlemen's sport" like rugby. Hackers will kick you while you are down, and rob you and your customers before you can even finish typing in your woefully outdated password.

Related Resources: