Equifax confirms unpatched Apache Struts flaw was exploited in massive data breach

Apache Struts patch released two months before hackers struck

An unpatched flaw in the Apache Struts Web Framework was to blame for last week's Equifax breach that exposed the social security numbers and other personal details of 143 million Americans, the company has claimed.

On its Equifax Security website, the company confirmed a report from equity research firm Baird, which last week claimed that a widely-exploited Apache flaw was to blame for the breach.

The firm did not install the security updates, despite demonstrable proof that the flaw gave attackers an easy way to take control of websites containing sensitive data

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted," the credit reporting outfit said.

"We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

The cited Apache Struts flaw dates back to March and a patch was released on 6 March, two months before Equifax learnt of a breach of its systems. This suggests that the company failed to install the security updates, despite demonstrable proof that the flaw gave attackers an easy way to take control of websites containing sensitive data.

This fact becomes less surprising after hearing, courtesy of security journalist Brian Krebs, that Equifax's Argentinian website left administrator access guarded by the default user/password login combination of admin/admin.

These credentials enabled anyone to add or remove employee accounts for the system, as well as to see their passwords by simply viewing the source of a web page. They could even access the personal data of anyone - including their DNI, the Argentinian equivalent of the US Social Security number - who had ever disputed a report.

Equifax CEO Richard Smith is expected to testify before a US House of Representatives panel on 3 October after nearly 40 states joined a probe of the company's handling of the breach.

Elsewhere, a chatbot originally developed to overturn parking fines has been re-purposed to help customers affected by the Equifax data breach sue the company, with its creator hoping to "bankrupt" the hapless company.