Equifax says Apache Struts vulnerability was to blame for the massive data breach

by Ugnius Kiguolis - -

Equifax confirms hackers accessed their servers using Apache Struts CVE-2017-5638 vulnerability

Equifax blames Apache Struts flaw for the data breach

Equifax, one of the leading credit reporting agencies finally shared some news regarding the data breach that affected millions of Americans. The official statement was published on company’s newly established website equifaxsecurity2017.com which is dedicated to providing information about the breach.

The official statement named the security vulnerability that allowed hackers steal private information of over 143 million Americans:

We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.

CVE-2017-5638 vulnerability[1] is extremely dangerous as exploiting it allows the hacker to execute code in the context of affected application remotely. It was discovered and patched in March, 2017. According to Equifax, their servers were accessed between mid-May and July[2].

It means that the company keeping massive amounts of extremely valuable consumer data possibly failed to update its Web applications. Had the company updated the vulnerable software in time, the massive data breach could have been prevented.

Federal Trade Commision puts Equifax under a magnifying glass

According to Reuters[3], The Federal Trade Commission has officially opened an investigation of the data breach at Equifax. FTC usually never comments on ongoing inspections except for this time.

The FTC spokesman Peter Kaplan briefly commented on the matter, saying “in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”

In addition, nearly 40 states joined a probe of Equifax’s business and privacy practices.

Equifax CEO has been formally called to testify before a House of Representatives panel

Equifax’s chief executive, Richard Smith, has been invited by the Congress to give evidence on October 3rd before the House of Representatives panel.

Representative Greg Walden, who is Republican chairman of the Energy and Commerce Committee, and Bob Latta, who is Republican Representative said that Richard Smith agreed to testify.

The shares of the credit reporting agency are tumbling as the company is pressed to provide more information regarding vague security practices that allowed attackers to access data of 143 million people.

According to Financial Times[4], Equifax experienced approximately a $3 billion market value drop on Friday morning.

What to do if you’re a victim

  • First of all, you can freeze your credit. This will halt access to your credit data, maintain your credit score and stop hackers who have private information about you.
  • Consider enrolling in Equifax’s TrustedID Premier program[5] which offers one-year of free credit monitoring and complimentary identity theft protection.
  • Set a fraud alert. Contact one of the credit card bureaus and ask them for an instant fraud alert. The alert will be active for 90 days. Afterward, you will have to renew it.

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References