Last week, after news broke that Equifax was the victim of a critical security flaw that exposed hundreds of millions of Americans’ personal data, the company quietly took down its mobile apps from Apple’s App Store and Google Play. I wrote about this at the time, but wasn’t quite sure why the apps were removed. Now we finally have an idea.

Security researcher Jerry Decime wrote a LinkedIn post a few days ago claiming to have initially discovered a vulnerability. Once he learned that Equifax had a huge breach, he wondered how secure its mobile programs were and decided to test them. He found shocking results: Though Equifax’s app used the secure HTTPS protocol to authenticate, once users were in the app, it used just HTTP in a number of locations, which makes the app vulnerable to interception. This means that any data communicated between users and Equifax is not encrypted.

The vulnerability was serious, but likely a separate issue than what caused the massive breach–although both incidents together indicate a pattern of negligence on Equifax’s part.

The HTTP error, says Decime, makes the program vulnerable to what’s called a “man-in-the-middle” attack–an attack where communications become intercepted by a third party. A hacker could conceivably launch an attack that fed Equifax users a window that prompted them to enter their personal data, which would then be collected by the attacker.

“This is really why we have that cryptography,” Decime tells me, explaining why the entire app should be using the HTTPS protocol, which encrypts all the data transferred. “It’s ultimately to mitigate those man-in-the-middle attacks.” He goes on: “They weren’t using crypto for critical interfaces, allowing attackers to inject their own markup including JavaScript.”

This is a huge error, and one that can’t be chalked up to a simple mistake. Decime described Equifax’s lack of understanding of mobile platforms “damning,” going on to say, “They quite frankly didn’t know what they were doing.”

According to Decime, he noticed the error on Thursday and instantly reported it to Equifax. Within an hour, he received a response from a VP. In all his years of being a security researcher, Decime has never had such a swift and high-level response, he says. After that, however, all communication with Equifax died.