In a late-night info dump on its incident web site, Equifax has revealed how hackers managed to steal over 143 million user records: an Apache server software vulnerability, for which a patch had been released a full 2 months before the breach.
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
According to Ars Technica, this particular Java app framework is extremely popular with financial institutions. The vulnerability & patch were released on March 6, after which malicious intruders began probing systems world-wide for the unpatched vulnerability. It would seem that Equifax never updated their server software and web apps during the two months that followed.
As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don’t break key functions on the site.
The Federal Trade Commission made a rare public announcement confirming it was investigating Equifax’ security practices, citing the scope and potential impact of the breach as justification. The Senate Finance Committee and over 40 state governments have opened their own probes into the company, with Democrat Senator Chuck Schumer comparing the disaster to the infamous Enron crash and calling on Equifax’ leadership to resign.