Equifax Launches WordPress-Powered Site for Consumers Affected by Security Breach

photo credit: Lock(license)

Equifax has launched a WordPress-powered website to connect with consumers affected by its recent security breach, which compromised 143 million customers’ personal data. The exposed data includes names, birth dates, social security numbers, addresses, credit card numbers, driver’s license numbers, and other sensitive financial information.

The equifaxsecurity2017.com site was launched shortly after disclosure to give consumers information about the security incident. Equifax reports that the company has found no evidence of unauthorized activity on its core consumer or commercial credit reporting databases but is offering free identity theft protection and credit file monitoring services to U.S. consumers who enter their last names and last six digits of their social security number into its form.

Consumers are rightfully wary of the website, as the company is asking for more personal information in order to sign people up for another one of its products. Various news outlets are decrying the fact that the site is built on WordPress.

“What’s more, the website which Equifax created to notify people of the breach, is highly problematic for a variety of reasons,” Ars Technica Security Editor Dan Goodin said. “It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number.”

Goodin also referenced the output of https://www.equifaxsecurity2017.com/wp-json/wp/v2/users/ which earlier in the day exposed the username for the site’s administrator before the page was protected.

WordPress’ handbook has a section on reporting security vulnerabilities that explains why disclosures of usernames or user IDs is not a security issue:

The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.

Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.

WordPress Core Security Team Lead Aaron Campbell clarified this section of the handbook to confirm that the users endpoint is intended to be an open API endpoint that serves public data.

“It does in fact include usernames and user IDs (among other things) for users that have published posts in a post type that is set up to use the API, but all the data is considered public,” Campbell said.

Campbell also said he is wary of entering personal data into the equifaxsecurity2017.com website, but not because it is using WordPress.

“I don’t think the fact that it runs on WordPress is a concern from a security standpoint, with the caveat that I don’t know what ELSE it’s using,” Campbell said. “‘Equifax’ is a trusted brand, but it’s not the official Equifax domain and the SSL certificate doesn’t verify ownership. So you know your data is encrypted, but not necessarily who it’s being sent to since you don’t know who owns the site.”

It’s not clear why Equifax simply didn’t build out the information site on its own domain. According to security investigator Brian Krebs, the company appears to have hired Edelman PR, a global PR firm, to handle its public response to the data breach, citing the username publicly displayed by WordPress’ API. Edelman PR opted to use a free Cloudflare certificate to secure the site.

Consumers were also off put by the verbiage of the arbitration clause included in the terms and services of the free credit monitoring, which appears to force those who sign up to waive their rights to participate in class action lawsuits against the company.

“I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived,” Krebs said.

Kenneth White, a security researcher and director of the Open Crypto Audit Project, said on Twitter that he was amazed the site was running stock WordPress but that his comments specifically referenced the sloppy implementation of the site.

Due to how the site was set up, it appeared to many consumers and researchers as Equifax’s way of stalling or perhaps even scamming those who may have been affected by the breach. Various browsers flagged it as a phishing threat, and some consumers found they were given different answers from the form based on whether they checked with desktop or mobile devices. In responding to the incident with a website that appears to have been hastily implemented for its own convenience and corporate interests, Equifax has missed an opportunity to reclaim any remaining consumer confidence from the public.

13 Comments


  1. Ya know, I’d feel better about usernames being in the public API if a 2FA of some sort was implemented into core. Until that happens, most my client base doesn’t care about author names so I’ll continue to block or redirect anything referring to them.

    Report


    1. exposing user login name is a security threat especially for a site like that, as it makes it easier to DDOS a site as login attempts, even if using wrong password take a relatively huge amount of CPU resources by (the correct) design.

      it is amazing to me that core is willing to break backward compatibility for UI candy like the text widget or gutenberg but can not break it to fix this kind of security issue.

      Report


  2. It’s telling that the wider world equities stock WordPress with lack of security

    Report


    1. It’s been that way as long as I can remember. It’s really more a user problem than it is the software being insecure.

      The WordPress team rolls out patches quickly, but how many sites have you come across with core out of date, 50 plugins installed, 45 of them active, 44 needing an update or no longer supported. That scenario is far more common than a well maintained site, unfortunately.

      Add to that the people who insist on using MyWeakPassword1234 everywhere on the internet, multiply everything by WordPresses market share and sprinkle on dash of good old fashion ignorance and it’s easy to see why WordPress is considered insecure.

      It’s funny really because keeping plugins up to date and using a unique, random password is about 90% of the battle. It’s not WordPress that’s insecure, it’s the way people use it.

      Report


  3. You know, I never gave Equifax, TransUnion or that other credit service permission to store my personal data. They just do it on their own without our permission.

    Then they want us to keep our information current or correct all the time. Well why do I have to do that when I never gave them permission to store my personal information in the first place. And they want to charge us money to “monitor” our own credit data. How upside down is this!

    Additionally we are expected to keep all 3 databases all up to date so that they can turn around and sell it to the financial institutions.

    These guys are scumbags – it’s as simple as that.

    Report


    1. I know right?

      I don’t believe Equifax is really trying to make up their mistakes: first of all, the monitoring system they offered is part of their company. If I can’t trust Equifax, how can I trust another service offered by the same company? Secondly, the free service offered is only free for a year, but my personal information has been compromised forever, what am I supposed to do after the first year? I have to pay $19.99/month to continue using the monitoring service. That’s total ripoff. Thirdly, the potential checker website is very shady because you can put in fake information and it will randomly tell you your information might have been compromised and you need to enroll in their monitoring service.

      Report


    2. Marcus,
      When you open an account or take out a loan/credit card with a financial institution, you give them permission to share that info with credit monitoring agencies, such as Equifax.

      Report


  4. Why was WP even used? Seems completely unnecessary to use a full CMS platform for a simple site like that…just introducing a ton of bloat and potential security issues for no reason.

    Report


    1. Hire PR firm. Tell them to “handle it.” PR firm hastily spins this up as a solution. (That’s my best guess, anyway.)

      Report


  5. This odd domain name was a REALLY stupid thing. Ironic, even – that with the response to a security incident like this, they would address it specifically with all the workings of a phishing scam. I’m [pretty] sure they didn’t mean to do that, but it was so badly done, a colleague and I looked at it, thinking it was some kind of joke or phishing awareness trick. I mean, you click on a link from a news article for an Equifax security breach and you get brought to a page that ANYONE of us could have registered and it asks you for your name and almost ALL of your social security number? I couldn’t believe it. I still can’t.

    Mike

    Report


  6. I’m not sure how the user names were exposed. You should get an error if you try to access them as an outside user:

    {“code”:”rest_user_cannot_view”,”message”:”Sorry, you are not allowed to list users.”,”data”:{“status”:401}}

    Mike

    Report


  7. Signing up for their free protection services also has a clause to remove you from arbitration, and also is a free service for 1 year after which you will be automatically enrolled and charged for the service.

    Report

Comments are closed.