Equifax Blames Hack On Patched Vulnerability

Equifax blamed the breach that compromised the personal information of 143 million people on an Apache vulnerability patched months before the hack occurred. The vulnerability in question, Apache Struts CVE-2017-5638, was patched in March. The breach started in May.

This disclosure implies that Equifax failed to address a critical vulnerability several months after a patch was made available. Hundreds of millions of people immediately suffered because their names, addresses, Social Security numbers, and other personal information was stolen. Unless the attackers could have exploited another vulnerability, chances are good that patching CVE-2017-5638 would have prevented this massive breach.

Equifax has faced heavy criticism since the hack's disclosure in early September. One of the primary complaints involved the terms of service for its identity protection service, TrustedID Premier, which required participants to waive their right to sue the company. (Equifax has since changed those terms.) Another was the fact that it's only providing one year of free TrustedID Premier service, which only helps in the short term.

Another complaint involved three executives' decision to sell a combined $1.8 million in stock in the days between the breach's discovery and its disclosure. Equifax said the execs weren't aware of the hack when they sold their stock, but the timing was suspicious at best. Considering the company's falling share price, it wouldn't be surprising if these executives wanted to protect their finances before the episode was made public.

Perhaps the most worrisome criticisms involve the company's inability to secure its services before and after the breach. This hack was enabled by a patched vulnerability. An online portal containing similar personal information about Argentinians was "secured" with the username / password combination of "admin / admin." The site dedicated to this breach runs on stock WordPress and its security was also put in doubt.

In addition to putting hundreds of millions of people at risk of identity theft or fraud, the Equifax breach could also make them vulnerable to unrelated attacks. That's why the FTC issued a warning that urged people not to provide their personal information to anyone calling them and claiming to be from Equifax. Similar attacks will probably capitalize on the fear, uncertainty, and doubt resulting from the breach.

This is just the beginning of the breach's aftermath. Its effects are likely to be felt for quite some time—the compromised information will retain its value in perpetuity, criminals will capitalize on the fear it's raised for as long as possible, and researchers will continue to hound Equifax and other companies to try to prevent similar attacks from happening in the future. Buckle in; this is going to be a long ride.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • ubercake
    This is unbelievable and pure negligence from one of three bureaus that control your access to resources both in the public and private sectors (not just monetary).

    They need to be held accountable and the U.S. government needs to provide its citizens with a way to identify themselves without a Social Security Number:
  • humorific
    What really needs to be done is to put in place a system to eliminate the SSN altogether. If it hasn't been exposed by now, it eventually will be. It's too late to secure this archaic ID.I propose a public/private rolling key. You provide a "new" SSN to a requestor. Then you would take both that SSN and your private PIN (which you can change) to generate a new SSN to provide for the next requestor. It doesn't guarantee your info wouldn't be lost, but you would be in control of it and would be able to track down who leaked it.
  • Josh_killaknott27
    Nobody trades equifax shares in that large of margins mere three days after a massive breech only to wait 40 days before actually reporting it. The three executives in question should be tried and convicted to the strictest of standard. Preferably life in prison as there are far more that get away with ruining our economy on the pretext of personal gain.