TORONTO – Equifax Inc. is reporting that a third-party vendor the credit rating agency uses to collect performance data on its U.S. Equifax website was serving malicious content.
“Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” an Equifax spokesperson said in an emailed statement Thursday.
“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our customer dispute portal.”
Earlier Thursday, Equifax Canada said its U.S. parent company was temporarily taking down one of its customer services pages amid reports that hackers had allegedly altered Equifax’s credit report assistance page so that it would send users malicious software disguised as Adobe Flash.
“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax Canada spokesman Tom Carroll said in an emailed statement.
“Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”
Carroll did not respond to direct questions about any potential breach to Equifax Canada’s website.
The news comes as Equifax Inc. continues to deal with the aftermath of a cyber breach earlier this year which allowed the personal information of 145.5 million Americans, and 8,000 Canadians, to be accessed or stolen.
Since news of Equifax’s massive data breach broke last month, the company is facing investigations in Canada and the U.S., as well as at least two proposed class actions filed in Canada.
The massive data breach has also led to a number of high-profile departures at the Atlanta-based consumer credit reporting agency, including its chief executive, chief information officer and chief security officer.
In early October, Equifax revised the number of consumers potentially impacted in the breach — bumping up the total in the U.S. to 145.5 million and reducing the number in Canada from an estimated 100,000 to 8,000.
For these Canadian consumers, Equifax says the information that may have been accessed includes name, address, social insurance number and, in “limited cases” credit card numbers.
On its website, Equifax’s Canadian division says it has not yet mailed out any notices and made clear it would not be making any unsolicited calls or emails about the issue.
In September, Equifax reported that its investigation had shown that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada said at the time it was working closely with its parent company Equifax Inc. and an unnamed, independent cybersecurity firm conducting the ongoing investigation.
The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
— With files from The Associated Press.