Failure to patch two-month-old bug led to massive Equifax breach

From Ars Technica

Wikimedia Commons/Alex E. Proimos

The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more two months earlier, officials with the credit reporting service said Thursday.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” company officials wrote in an update posted online. “We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to…

Read More – Failure to patch two-month-old bug led to massive Equifax breach