Hackers exploited a two-month-old flaw in Equifax’s web systems to steal millions of customer’s private data, the firm revealed.
A patch for the vulnerability in open-source software package Apache Struts, was released on March 7 – the same day the flaw was announced.
But it’s not clear if the credit agency giant went through the time consuming process of updating its systems to fix the bug – leaving themselves open to a major security breach.
Hackers had immediately began to exploit the flaw, after it was announced, to break into Equifax’s server and install rogue applications and malware.
Two months later, that paid off when they were able to steal up to 143 million people’s private information.
The credit agency said the hack of its cybersecurity system may have affected 143 million consumers and included a trove private information including credit card numbers, names, birth dates, Social Security numbers, and more.
Consumer credit agency Equifax says that 143 million consumers may have been affected by massive data breach
Apache Struts is still used in around 65 per cent of Fortune 100 companies and by government agencies.
Credit agencies Experian and annualcreditreport.com also rely on Apache Struts.
‘Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework,’ researchers wrote in a blog post after they uncovered another vulnerability in the system. A new patch has since been released.
‘This illustrates how widespread the risk is.’
The credit agency has not yet commented on whether they updated their system after the patch was announced.
Shares of the company’s stock plummeted from 142.72 on September 7, when the hack was announced, to 98.99 at close of trading yesterday.
But the revelation that their system was hacked via the bug could suggest that the firm failed to update its Web applications to install the patch when it was released.
The patch would have been time consuming as it involved rebuilding hundreds of apps using the new updated software. These would all have to be tested extensively before they went live.
‘Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,’ company officials wrote in a statement yesterday.
‘We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.’
The company, which safeguards financial data for consumers applying for credit, said it learned of the breach on July 29 and ‘acted immediately’ with the assistance of an independent cybersecurity firm to assess the impact.
The breach affected well over a third of the population in America, which stood at 324 million as of January 1, 2017, according to the US Census Bureau.
The company also said that more than 200,000 credit card numbers were illegally obtained
Shares of the company’s stock plummeted from 142.72 on September 7, when the hack was announced, to 98.99 at close of trading yesterday.
The data collected by the cyber-thieves contained a trove private information including names, birth dates, Social Security numbers, addresses and driver’s licenses of consumers.
The company said that more than 200,000 credit card numbers were illegally obtained, in addition to ‘certain dispute documents with personal identifying information for approximately 182,000 US consumers.’
‘This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,’ said company chairman and chief executive Richard Smith.
‘I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.’
Equifax said it would work with American, British and Canadian regulators to determine appropriate next steps for customers affected in those countries, but added that it ‘found no evidence that personal information of consumers in any other country has been impacted.’
Equifax said it had established a website to enable consumers to determine if they are affected and would be offering free credit monitoring and identity theft protection to customers.
The company is the latest to announce a major breach. Yahoo last year disclosed two separate cyber attacks which affected as many as one billion accounts.
More than 400 million accounts were affected by a breach disclosed last year at the hookup site Adult Friend Finder, and other firms affected in recent years included Heartland Payment Systems and retail giant Target.