[froindt]

Someone in marketing probably didn't know that it mattered. Same with the head person who approved the email.

But don't worry, they'll have an engineer approve it next time as well!

[RainaRelanah]

But there are protections against this, such as HSTS. I would expect someone with as much sensitive information as Equifax to have HSTS + HPKP pinned into the major browsers. Their server should never even receive an HTTP request. It's just unrivaled incompetence.

[discreditable]

HSTS doesn't help if it's your first visit to the site. To work around that they'd need to get into a preload list.

[andygambles]

Which is easy if you set preload header.

[tony101]

This. The technology (HSTS, HPKP, Subresource Integrity, upgrade-insecure-requests) is there; sites that need it just don't seem to use it.

[Matt3o12_]

Normally, people in marketing don’t write URLs by hand. They copy them and check that they look nice or have a generator make them for them.

So, how did they copy an http url instead of https because they website should have redirected them to https before processing the request (and I just hope that their internal network isn’t compromised).