Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems
Equifax has admitted the breach of its systems that has seen the personal data of well over 100 million people compromised was the result of a known website vulnerability that it failed to patch.
n a brief update statement, Equifax said it had been “intensely investigating” the scope of the intrusion with the help of an undisclosed cyber security firm – thought to be Mandiant – to find out exactly what information was accessed and whom it belongs to.
“We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638,” it said. “We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Apache Struts is an open-source model-view controller (MVC) framework for building Java web applications, and is well used across the financial services sector. The vulnerability causes it to mishandle file upload, which enables malicious actors to execute arbitrary commands via a command string in a crafted content-type HTTP header.
This was first highlighted in March 2017, and patches were subsequently released for it. However, the Equifax breach began in May, which would seem to suggest the organisation did not bother to apply the updates to its systems.
Since news of the breach emerged, it has also emerged that the incident may have resulted in many more Britons than at first suspected having their data compromised – around 44 million by some estimates.