Equifax blames months-old web server flaw for enabling hack

Equifax says a publicly known vulnerability since early March allowed hackers to begin stealing personal information from as many as 143 million Americans two months later.

Getty Images

Equifax said Wednesday that a months-old but apparently unpatched web server vulnerability enabled the massive data breach that exposed the personal financial information of about half of the US population.

Equifax said it identified Apache Struts CVE-2017-5638, a flaw first identified on March 6, as the gateway to the hack. The company located the problem with the help of an unidentified cybersecurity firm. Patches for the vulnerability were made available less than a week later.

It was not immediately clear why the flaw still existed on Equifax’s servers in mid-May when the massive months-long hack began. Representatives for Equifax did not respond to a request for comment.

The revelation of an unpatched vulnerability raises further questions about the hack, which the credit reporting company revealed less than a week ago. The hackers got away with a treasure trove of financial data from 143 million people in the United States, including names, social security numbers, birthdates and customer addresses. Equifax learned of the breach on July 29 but did not disclose it for more than a month.

The breach, which was particularly powerful because a company held such a large amount of sensitive information, is among the largest in US history and the largest known leak of 2017. Yahoo lost data on about 1 billion accounts in 2013, the web portal said last year.

The company has come under intense scrutiny since the hack came to light on September 7. Two influential US senators sent a letter to Equifax CEO Rick Smith. requiring answers to detailed questions about the massive hack, including details such as the timeline of the security breach and when the company became aware of it.

Senator Orrin Hatch, chairman of the Senate Finance Committee, also requested information on when authorities and board members learned of the hack, including three executives who sold stock in the days following the discovery of the hack.

CNET Magazine: Check out a sampling of the stories in GameSpot’s newsstand edition.

Disconnect: Welcome to the crossroads of online life and beyond.

Comments are closed.