The Equifax data breach in which the personal information of over 143 million Americans has already cost the company dearly. It’s lost nearly a third of its stock price and is currently facing what will be the largest class action lawsuit, and after announcing that the breach happened, there were more questions than answers. Now, Equifax is revealing what it believes led to the leak, and it’s blaming its woes on a vulnerability in web server software that hadn’t been patched months after a fix was released.
Equifax released an update on its investigation, detailing the issue:
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
The most embarrassing thing about all of this is that the vulnerability was actually a flaw that had been fixed months before the breach actually took place. As Ars Technica reports, a patch for the Apache Struts framework flaw had been issued on March 6th, 2017, and was a widely-known exploit that should have been a top priority for updating. Despite that, hackers found Equifax’s servers still exploitable in mid-May, and made off will the personal information of nearly half the country.
Before this discovery was made public, some had thought there may have been an unknown vulnerability in the Apache Struts software which led to the leak. As it turns out, an incredibly lax software security update policy was the real culprit, and Equifax has nobody to blame but itself.
It’s an incredibly shameful turn of events, and the fact that the company was essentially ignoring vital software patches will no doubt play a big role in how the class action case pans out. To put it simply, you wouldn’t want to be in Equifax’s shoes right about now.
