Equifax keeps digging their hole deeper. Their massive data breach exposed the personal identifying information of 144 million Americans. They didn’t announce the breach for more than a month, during which time many executives at the company dumped stock. And now there’s this.
Equifax has offered an explanation as to what exactly happened:
“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Ars Technica points out that Apache Struts is a “framework for developing Java-based apps that run both front-end and back-end Web servers.” The app is popular within the financial industry, leading many to wonder if there may be more news of hacks to come.
Here’s where it gets really bad. The bug in Apache Struts was discovered early enough to prevent its exploitation. In fact, a patch was released on March 6, 2017. The news of this patch alerted hackers to the fact that the hole existed. And they took advantage of it immediately.
Equifax could have patched security on March 6th, but they didn’t. And they still had not patched the hole in May, when they found they’d been hacked.
In other words, this was completely preventable and the back door, so to speak, was left wide open.
This news, when coupled with the pending lawsuits, will surely make life difficult for Equifax’s legal team. And many of the top executives who sold off stock en mass are now going to have an even more complicated time convincing anyone that those sales weren’t part of a coordinated effort to cut their loses ahead of the announcement of the news.