Watch CBS News

After Equifax breach, company sent victims to wrong site for weeks: report

Equifax bungles response to breach
How Equifax "bungled" its response to massive data breach 03:49

Nearly two weeks after Equifax revealed that data from 143 million people had been compromised, it turns out the company has been sending people to the wrong site to check if their data was compromised, The Verge reports.

After the breach was revealed on Sept. 7, the company -- one of the nation's three biggest credit bureaus -- set up the website equifaxsecurity2017.com for customers to check if they had been affected. 

But several tweets dating as far back as Sept. 9n show that the company's customer service team mistakenly sent users to a different site, securityequifax2017.com. 

The tweets were taken down, but some had remained posted for over 24 hours, as Twitter users noted.

Luckily, the incorrect domain wasn't a nefarious phishing site, but a site built to make a point. Nick Sweeting registered the domain, which reverses the words "security" and "equifax," to draw attention to the vulnerability of the actual Equifax site. The fact that the security site is on a separate domain, and not on equifax.com, "makes it ridiculously easy for scammers to come in and build clones," he told the outlet. 

He told The Verge that data that duped consumers had entered into his page and would not leave it.

Equifax has been roundly criticized for its response to the breach from the day it was revealed. The decision to create a separate website drew ire in the tech community, with Gizmodo calling it "monumentally stupid." The separate site asked consumers to enter their last names and the last 6 digits of their Social Security numbers to check if their data was stolen, but it gave responses even for bogus names and numbers (such as "Trump" and "123456"), leaving many to question its accuracy. And when Equifax offered breach victims a free year of its credit-monitoring service, the initial terms of use required consumers to sign away their legal rights to sue the company. (Equifax later backed away from that requirement.)

The company announced on Sept. 7 that hackers gained access to 143 million American consumers' personal information after exploiting a vulnerability on its website. The theft, which occurred between mid-May and July, included people's names, Social Security numbers, birth dates and other data.

The Federal Trade Commission said last week it was launching a probe into the breach.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.