Equifax blamed the breach that compromised the personal information of 143 million people on an Apache vulnerability patched months before the hack occurred. The vulnerability in question, Apache Struts CVE-2017-5638, was patched in March. The breach started in May.
This disclosure implies that Equifax failed to address a critical vulnerability several months after a patch was made available. Hundreds of millions of people immediately suffered because their names, addresses, Social Security numbers, and other personal information was stolen. Unless the attackers could have exploited another vulnerability, chances are good that patching CVE-2017-5638 would have prevented this massive breach.
Equifax has faced heavy criticism since the hack's disclosure in early September. One of the primary complaints involved the terms of service for its identity protection service, TrustedID Premier, which required participants to waive their right to sue the company. (Equifax has since changed those terms.) Another was the fact that it's only providing one year of free TrustedID Premier service, which only helps in the short term.
Another complaint involved three executives' decision to sell a combined $1.8 million in stock in the days between the breach's discovery and its disclosure. Equifax said the execs weren't aware of the hack when they sold their stock, but the timing was suspicious at best. Considering the company's falling share price, it wouldn't be surprising if these executives wanted to protect their finances before the episode was made public.
Perhaps the most worrisome criticisms involve the company's inability to secure its services before and after the breach. This hack was enabled by a patched vulnerability. An online portal containing similar personal information about Argentinians was "secured" with the username / password combination of "admin / admin." The site dedicated to this breach runs on stock WordPress and its security was also put in doubt.
In addition to putting hundreds of millions of people at risk of identity theft or fraud, the Equifax breach could also make them vulnerable to unrelated attacks. That's why the FTC issued a warning that urged people not to provide their personal information to anyone calling them and claiming to be from Equifax. Similar attacks will probably capitalize on the fear, uncertainty, and doubt resulting from the breach.
This is just the beginning of the breach's aftermath. Its effects are likely to be felt for quite some time—the compromised information will retain its value in perpetuity, criminals will capitalize on the fear it's raised for as long as possible, and researchers will continue to hound Equifax and other companies to try to prevent similar attacks from happening in the future. Buckle in; this is going to be a long ride.
