Since when...
... Is Equifax a bank? A consumer credit information tat bazaar perhaps (especially when they sell on your information without your express consent), but NOT a bank.
Equifax has followed HSBC in making a hash of renewing one of its digital certificates. Consumers logging onto Equifax's UK website last week were greeted with a notice that the site couldn't be verified because its certificate had expired. That's the same problem HSBC banking business customers also experienced last week …
that somehow managed to pass on a unique email address that I used only once to apply for my credit info to a phisher?
I use unique email addresses for each business I deal with to catch any spammers (ie: equifax@insertmydomainhere.com) and almost 2 yrs after getting my credit record from them, I received a phishing attempt mailed to, yep, equifax@insertmydomainhere.com.
It took many weeks of trying to explain this to them until I got hold of a security bloke there who understood why I was concerned (they sell identity fraud insurance after all) but after investigating couldn't explain how this had happened.
Article says "such slip ups are trivial but embarrassing".
If we spend time educating users to pay attention to the padlock and warnings given off by browsers then how is labeling this as something they can safely ignore going to help. FFS.
Paris - because she is neither trivial nor embarrassing.
"I use unique email addresses for each business I deal with to catch any spammers (ie: equifax@insertmydomainhere.com) and almost 2 yrs after getting my credit record from them, I received a phishing attempt mailed to, yep, equifax@insertmydomainhere.com."
Not surprising - just a brute-force attack. Spammers frequently send mails to {dictionary-of-usernames}@{dictionary-of-domains}. It's cheap and easy for them to do, and lets them discover new addresses to spam.
To prevent this happening, you should add a sufficiently long strong random cookie into each username you generate, e.g.
equifax-701c9a3c@insertmydomainhere.com
Or you could use something more sophisticated like BATV, which encodes an expiry timestamp and a signature into the address.
There's no evidence of Equifax having misappropriated your data here.