Cyber Incident Victim: Equifax Inc.

In October 2017, Equifax faced additional cybersecurity scrutiny when its consumer credit report assistance website was found serving malicious content. On October 10, security researcher Randy Abrams documented that clicking a link on Equifax’s portal redirected users to a fraudulent Adobe Flash Player update prompt. The fake installer, identified by antivirus tools as Adware.Eorezo, delivered spyware capable of deploying unwanted browser toolbars and advertisements. Ars Technica’s Dan Goodin first reported the incident, noting the malware’s detection and distribution mechanism. Equifax initially responded by taking the affected webpage offline "out of an abundance of caution" pending investigation. Subsequent analysis revealed the compromise originated from a third-party vendor’s code embedded on the site to collect performance metrics. Equifax removed the vendor’s code and reiterated that its core systems were not breached and that the consumer dispute portal remained unaffected.

This incident compounded existing public distrust following Equifax’s September 7, 2017, disclosure of a massive breach exposing Social Security numbers and sensitive data of over 145 million Americans. Days prior to the fake Flash update issue, KrebsOnSecurity reported that Equifax’s payroll and tax administration site allowed unauthorized access to salary histories using only a Social Security number and birthdate—data elements stolen in the earlier breach. Equifax disabled the payroll service hours after the report, but it remained offline four days later. The company’s repeated security lapses and inconsistent public communications fueled criticism of its crisis management, with the October incident further eroding confidence despite Equifax’s assurances of limited impact.