Tuesday, 23 October 2018
Latest news
Main » Apache Struts Security Flaw That Equifax Failed to Patch Responsible for Hack

Apache Struts Security Flaw That Equifax Failed to Patch Responsible for Hack

15 September 2017

Attorney General Ken Paxton today issued a consumer alert following a report from Equifax Inc., one of the nation's three major credit reporting agencies, that it experienced a data breach affecting 143 million Americans, including almost 12 million Texans. Shares of rival Experian Plc, which trade in London, dropped as much as 6.4 percent on Thursday. The vulnerability was Apache Struts CVE-2017-5638. "We know that criminals exploited a USA website application vulnerability", it added.

'Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted, ' company officials wrote in a statement yesterday. The two-month gap between when the patch was issued and when the attackers breached Equifax's network was a particularly risky time, as hackers began immediately exploiting the flaw on websites that didn't apply the fix, according to technology website Ars Technica.

The vulnerability was a critical weakness for many large websites that were built using the software. "We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement", the statement noted.

The breach affected well over a third of the population in America, which stood at 324 million as of January 1, 2017, according to the US Census Bureau.

Zidane told me apart from Messi, I'm the best left footer - Asensio
The 21-year-old has made an impressive start to the season and Zidane has clearly been impressed to laud his performances.

The next wave will be scammers sending out e-mails saying they're Equifax, providing a link, which will likely send you to a fake website.

It adds that personal information that may have been breached includes names, address and Social Insurance Number and "the breach is contained".

'This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do, ' said company chairman and chief executive Richard Smith. "So data security and how we go about ensuring that is something we spend a lot of time and effort on". The sales came before the breach was announced to the public.

The bigger question to many cyber-security experts is why some of Equifax's crown jewels were accessible essentially from the open internet, a question that Equifax has not addressed. Once the compromise was announced, ambiguous language in the recovery site's Terms of Service made it seem as if anyone accepting Equifax's credit-monitoring services would waive their right to sue the service.

Apache Struts Security Flaw That Equifax Failed to Patch Responsible for Hack