Equifax has launched a WordPress-powered website to connect with consumers affected by its recent security breach, which compromised 143 million customers’ personal data. The exposed data includes names, birth dates, social security numbers, addresses, credit card numbers, driver’s license numbers, and other sensitive financial information.
The equifaxsecurity2017.com site was launched shortly after disclosure to give consumers information about the security incident. Equifax reports that the company has found no evidence of unauthorized activity on its core consumer or commercial credit reporting databases but is offering free identity theft protection and credit file monitoring services to U.S. consumers who enter their last names and last six digits of their social security number into its form.
Consumers are rightfully wary of the website, as the company is asking for more personal information in order to sign people up for another one of its products. Various news outlets are decrying the fact that the site is built on WordPress.
“What’s more, the website which Equifax created to notify people of the breach, is highly problematic for a variety of reasons,” Ars Technica Security Editor Dan Goodin said. “It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number.”
Goodin also referenced the output of https://www.equifaxsecurity2017.com/wp-json/wp/v2/users/ which earlier in the day exposed the username for the site’s administrator before the page was protected.
WordPress’ handbook has a section on reporting security vulnerabilities that explains why disclosures of usernames or user IDs is not a security issue:
The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.
Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.
WordPress Core Security Team Lead Aaron Campbell clarified this section of the handbook to confirm that the users endpoint is intended to be an open API endpoint that serves public data.
“It does in fact include usernames and user IDs (among other things) for users that have published posts in a post type that is set up to use the API, but all the data is considered public,” Campbell said.
Campbell also said he is wary of entering personal data into the equifaxsecurity2017.com website, but not because it is using WordPress.
“I don’t think the fact that it runs on WordPress is a concern from a security standpoint, with the caveat that I don’t know what ELSE it’s using,” Campbell said. “‘Equifax’ is a trusted brand, but it’s not the official Equifax domain and the SSL certificate doesn’t verify ownership. So you know your data is encrypted, but not necessarily who it’s being sent to since you don’t know who owns the site.”
It’s not clear why Equifax simply didn’t build out the information site on its own domain. According to security investigator Brian Krebs, the company appears to have hired Edelman PR, a global PR firm, to handle its public response to the data breach, citing the username publicly displayed by WordPress’ API. Edelman PR opted to use a free Cloudflare certificate to secure the site.
Not only did @Equifax suffer a massive data breach, but their site about the breach is using a free shared CloudFlare SSL cert. ಠ_ಠ pic.twitter.com/r4bvPpde1i
— Daniel Lo Nigro (@Daniel15) September 8, 2017
Consumers were also off put by the verbiage of the arbitration clause included in the terms and services of the free credit monitoring, which appears to force those who sign up to waive their rights to participate in class action lawsuits against the company.
“I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived,” Krebs said.
Kenneth White, a security researcher and director of the Open Crypto Audit Project, said on Twitter that he was amazed the site was running stock WordPress but that his comments specifically referenced the sloppy implementation of the site.
intent wasn't to blast WP, this is just sloppy—default admin pages, default nginx errors, wonky certs, phish flagged…
— Kenn White (@kennwhite) September 8, 2017
Due to how the site was set up, it appeared to many consumers and researchers as Equifax’s way of stalling or perhaps even scamming those who may have been affected by the breach. Various browsers flagged it as a phishing threat, and some consumers found they were given different answers from the form based on whether they checked with desktop or mobile devices. In responding to the incident with a website that appears to have been hastily implemented for its own convenience and corporate interests, Equifax has missed an opportunity to reclaim any remaining consumer confidence from the public.
Ya know, I’d feel better about usernames being in the public API if a 2FA of some sort was implemented into core. Until that happens, most my client base doesn’t care about author names so I’ll continue to block or redirect anything referring to them.