... Is Equifax a bank? A consumer credit information tat bazaar perhaps (especially when they sell on your information without your express consent), but NOT a bank.

Equifax are now on my blacklist..

and will have to pay 1 pound for the privilege of having me look up why in my database to tell them why.

Purely an administrative charge you understand

one other high street bank has an ongoing problem with its certificates, where, when online banking you occasionally find one that is least a year out of date. When I contacted them they didn't seem interested and just suggested I connect again.

that somehow managed to pass on a unique email address that I used only once to apply for my credit info to a phisher?

I use unique email addresses for each business I deal with to catch any spammers (ie: equifax@insertmydomainhere.com) and almost 2 yrs after getting my credit record from them, I received a phishing attempt mailed to, yep, equifax@insertmydomainhere.com.

It took many weeks of trying to explain this to them until I got hold of a security bloke there who understood why I was concerned (they sell identity fraud insurance after all) but after investigating couldn't explain how this had happened.

Article says "such slip ups are trivial but embarrassing".

If we spend time educating users to pay attention to the padlock and warnings given off by browsers then how is labeling this as something they can safely ignore going to help. FFS.

Paris - because she is neither trivial nor embarrassing.

Did you entertain the possibility that the spammer might just have guessed your email address?

"I use unique email addresses for each business I deal with to catch any spammers (ie: equifax@insertmydomainhere.com) and almost 2 yrs after getting my credit record from them, I received a phishing attempt mailed to, yep, equifax@insertmydomainhere.com."

Not surprising - just a brute-force attack. Spammers frequently send mails to {dictionary-of-usernames}@{dictionary-of-domains}. It's cheap and easy for them to do, and lets them discover new addresses to spam.

To prevent this happening, you should add a sufficiently long strong random cookie into each username you generate, e.g.

equifax-701c9a3c@insertmydomainhere.com

Or you could use something more sophisticated like BATV, which encodes an expiry timestamp and a signature into the address.

There's no evidence of Equifax having misappropriated your data here.