Apache Struts Security Flaw That Equifax Failed to Patch Responsible for Hack
Equifax, the company that essentially made personal details of over 143 million Americans available to hackers, has now officially confirmed that it had failed to install a security update. In a statement, the credit giant said a web server vulnerability in Apache Struts that was reported and patched several months ago was responsible for the data breach.
"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," the company wrote. "We know that criminals exploited a U.S. website application vulnerability," it added.
In its statement, Equifax further shared that the vulnerability was Apache Struts CVE-2017-5638. "We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement," the statement noted.
Equifax's official statement comes after a report from equity research firm Baird that had blamed the same flaw and the company's inability to patch it. The report was later retracted. Equifax also hasn't shared any evidence to support this finding.
Apache Struts flaw blamed for Equifax breach was patched in March
Apache Struts is used by a number of large corporations including the Fortune 100 companies, powering front and backend applications. It was also responsible for the public website of Equifax. The Apache Struts security vulnerability that the company has said is to blame for the data breach dates to March, this year. The flaw tracked as CVE-2017-5638 was a zero-day when it was discovered, meaning that it was being used in the wild before it could be patched up. It appears that the credit firm failed to install the security updates that came to patch it up.
However, it isn't immediately clear if the hackers attacked the company before the flaw was discovered and subsequently patched up by Apache. In its earlier statements, Equifax had only revealed that it became aware of the breach on July 29, but didn't share exactly when the security breach had occurred. Since the company is holding off the details of its investigation, security experts believe that the attack possibly happened after the patch was made available since it was then widely distributed and publicized.
Following the data breach, security researchers have found several other security problems in Equifax's cybersecurity mechanisms and practices, including unpatched cross-site scripting (XSS) vulnerabilities that were reported to the company over a year ago.
The company is facing several lawsuits, with its shares falling more than 30% since the data breach was disclosed.