Equifax are now on my blacklist..

and will have to pay 1 pound for the privilege of having me look up why in my database to tell them why.

Purely an administrative charge you understand

that somehow managed to pass on a unique email address that I used only once to apply for my credit info to a phisher?

I use unique email addresses for each business I deal with to catch any spammers (ie: equifax@insertmydomainhere.com) and almost 2 yrs after getting my credit record from them, I received a phishing attempt mailed to, yep, equifax@insertmydomainhere.com.

It took many weeks of trying to explain this to them until I got hold of a security bloke there who understood why I was concerned (they sell identity fraud insurance after all) but after investigating couldn't explain how this had happened.

Article says "such slip ups are trivial but embarrassing".

If we spend time educating users to pay attention to the padlock and warnings given off by browsers then how is labeling this as something they can safely ignore going to help. FFS.

Paris - because she is neither trivial nor embarrassing.

"I use unique email addresses for each business I deal with to catch any spammers (ie: equifax@insertmydomainhere.com) and almost 2 yrs after getting my credit record from them, I received a phishing attempt mailed to, yep, equifax@insertmydomainhere.com."

Not surprising - just a brute-force attack. Spammers frequently send mails to {dictionary-of-usernames}@{dictionary-of-domains}. It's cheap and easy for them to do, and lets them discover new addresses to spam.

To prevent this happening, you should add a sufficiently long strong random cookie into each username you generate, e.g.

equifax-701c9a3c@insertmydomainhere.com

Or you could use something more sophisticated like BATV, which encodes an expiry timestamp and a signature into the address.

There's no evidence of Equifax having misappropriated your data here.