Equifax overlooked Apache Struts Patches

Hackers went for a roll and took advantage of a security vulnerability in Equifax. This happened due to web server vulnerability in Apache Struts, that Equifax failed to patch months ago. The question was raised about why Equifax failed to update its software when they knew the risk is imminent. The breach has affected 143 million consumers.

The credit giant has confirmed in a statement “Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who have been impacted.”

“We know that criminals exploited a U.S. website application vulnerability,” the statement added.

“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Equifax has not provided any credible evidence to support the above statement

Apache Struts provides web applications in Java and power front-and-back-end application, and it is used across fortune 100 companies. In this case, Apache Struts even powered Equifax’s public website.

René Gielen, the vice president of Apache Struts, in a statement, said that “Most breaches we become aware of are caused by the failure to update software components that are known to be vulnerable for months or even years.”

Industry experts say ‘the flaw in Apache Struts dates back to March 2017, and the patches were released, and as said above Equifax failed to install the security updates. In other words, the company had enough time to take the precautionary measure and save the personal data of the 143 million customers, which it didn’t. This was just another instance of incompetence and shady behavior on the part of the company towards data breach.

It would have been simple for attackers to exploit the flaw and enter the system’ said penetration testers and security researchers. Van Schaik, who discovered Apache Struts bug said ‘”Once they identified Equifax’s systems as vulnerable, actually exploiting the vulnerability to gain access to the Equifax servers and network will, unfortunately, have been relatively easy’. He further adds ‘It’s hard to say how difficult it will have been for the attackers to get their hands on customer data once they found their way into Equifax’s servers and network. But the timeline suggests that time was on the attacker’s’ side.’

Equifax will be under scrutiny for all the data breach, but as always the real sufferers are the individuals whose data were compromised. It was the responsibility of the Equifax to protect the potential data from falling into the wrong hands. Unfortunately, most of the customers are not even directly related to Equifax, but show up when any credit check request is made for people working and living in the United States.