NEW YORK (Reuters) – Equifax Inc said on Thursday that one of its third-party vendors had been running malicious code on one its web pages, but that the credit reporting agency was not the subject of another cyber attack and its systems were not compromised.
Equifax had said earlier it took the affected web page offline “out of an abundance of caution” following a report by the technology news website Ars Technica that the company’s website may have been hacked.
Atlanta-based Equifax disclosed a little over a month ago that cyber criminals had breached its systems between mid-May and late July and stolen the sensitive information of 145.5 million people.
“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal,” spokeswoman Francesca De Girolami said in a statement on Thursday.
“The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.”
The company said it has removed the vendor’s code from the web page, which was taken offline so the company can conduct further analysis.
Randy Abrams, an independent security analyst, said he noticed the issue late on Wednesday when he was attempting to check some information in his credit report and a bogus pop-up ad appeared on Equifax’s website.
The pop-ups could trick visitors into installing fraudulent Adobe Flash updates and infect computers with malware, he said in an interview with Reuters on Thursday.
“You’ve got to be kidding me,” he recalled thinking when he first saw the ads. Then he successfully replicated the problem at least five times, making a video that he posted to YouTube. (bit.ly/2z3GTLc)
Equifax’s security protocols have been under scrutiny since Sept. 7 when the company disclosed its systems had been breached. As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.
The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice, and it has led to the departure of the company’s chief executive officer, chief information officer and chief security officer.
Equifax shares ended down 1.5 percent at $108.81.
Reporting by John McCrank; Editing by Bill Rigby