SAN FRANCISCO — Equifax says its systems were not breached and blamed a third party vendor for running malicious code.
On Thursday a security analyst reported a link on the Equifax website redirected him to a third-party site that encouraged him to download malware.
"The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content," Equifax said in a statement. "Since we learned of the issue, the vendor’s code was removed from the web page and we have taken the web page offline to conduct further analysis."
Security analyst Randy Abrams said he encountered the malicious link when downloading his credit report. A link on the Equifax site directs users to an announcement that the credit report assistance page is down for maintenance.
Shares dropped as much as 3.5% Thursday.
"This incident should serve as a warning for any website operator to know and control vendor risk in the digital world – all website code, both first and third party, should be continuously monitored to avoid these scenarios," Chris Olson, CEO of cybersecurity firm The Media Trust said in an emailed statement.
The malware, first reported by tech news site Ars Technica, comes a month after Equifax disclosed that a massive data breach exposed the Social Security numbers and birthdates of as many as 145.5 million Americans.
Last week Equifax disclosed that hackers may have stolen the personal information of 2.5 million more U.S. consumers than it initially estimated.
The company said the additional customers were not victims of a new attack but rather victims who the company had not counted before.
The breach and, even more so, Equifax’s handling of it angered lawmakers.
The Equifax website and the call centers it established to serve customers faltered. Many consumers faced error messages on the website and couldn't reach anyone at Equifax by phone.
The company’s former chief executive, Richard Smith, who was forced into retirement after the breach was disclosed, was criticized by lawmakers in four congressional hearings last week. A few times, he visibly flinched as he was grilled over the hack that was first made public on Sept. 7.
Smith said the hack was possible because someone in Equifax's security department didn’t patch a flaw the company had been alerted to by the U.S. Computer Emergency Readiness Team.
A scan performed later to check that the patch had been implemented failed to detect that it hadn’t, he told lawmakers.
Just as consumers are constantly urged to update their software to guard against problems that can be exploited by hackers, large corporations also get notices that it's time to upgrade, known in the industry as patching.
Rep. Patrick McHenry (R-N.C.) introduced legislation Thursday that would require credit reporting companies like Equifax to stop using Social Security numbers to verify people's identities by 2020. The legislation would also allow consumers to freeze access to their credit and would force credit reporting companies to submit to regular cybersecurity reviews.
Contributing: Elizabeth Weise