Equifax’s Colossal Error: Not Patching Apache Struts Flaw

Confirmed: Hackers Behind Mega-Breach Exploited Struts Flaw, Patch Was Available

Equifax made an error that led to one of the largest and most sensitive data breaches of all time, and the mistake was elementary: The credit bureau failed to patch a vulnerability in Apache Struts – a web application development framework – in a timely manner.

The company updated its breach notification on Wednesday, confirming security watchers’ speculations that Struts was involved in the breach, which had been based both on Equifax’s infrastructure as well as the timing of vulnerabilities in – and patches for – Struts that have come to light this year (see Is Unpatched Apache Struts Flaw to Blame for Equifax Hack?).

To understand the full scope of the attack and breach, Equifax retained a digital forensics investigation firm – reported by ZDNet to be FireEye’s Mandiant unit – and the investigation remains ongoing.

“We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise,” the company says in a statement on its website.

Update from Equifax issued September 13.

While the attack vector is known, Equifax has yet to discuss who may have hacked it. Of course, it may never know.

But Equifax says the unidentified hackers had access to the personal details of 143 million U.S. consumers, as well as an unspecified number of British and Canadian consumers. Names, addresses, Social Security numbers and in some cases, driver’s license numbers, are at risk. The breach also exposed credit card numbers for 209,000 U.S. consumers and credit dispute documentation for 182,000 people (see Equifax: Breach Exposed Data of 143 Million US Consumers).

Continue reading…