Equifax blames months-old web server flaw for allowing hack

Equifax said Wednesday a months-old but apparently unpatched web server vulnerability allowed the massive data breach that exposed the personal financial information for roughly half the U.S. population.

Equifax said it identified Apache Struts CVE-2017-5638, a flaw that was first identified on March 6, as the hack's gateway. The company located the problem with the help of an unidentified cybersecurity firm. Patches for the vulnerability were made available less than a week later.

It wasn't immediately clear why the flaw still existed on Equifax's servers in mid-May when the massive, months-long hack began. Equifax representatives didn't respond to a request for comment.  

The revelation of an unpatched vulnerability raises further questions about the hack, which the credit-reporting firm revealed less than a week ago. Hackers made off with a treasure trove of financial data from as many as 143 million people in the U.S., including names, Social Security numbers, birth dates and addresses of customers. Equifax learned about the breach on July 29 but didn't reveal it for more than a month.

Equifax data breach: How to protect yourself 03:21

The breach, which was particularly potent because one company held such a large amount of sensitive information, is among the largest in U.S. history and the biggest known leak of 2017. Yahoo lost data on roughly a record 1 billion accounts in 2013, the web portal said last year.

The company has been under intense scrutiny since the hack was revealed on Sept. 7. A pair of influential U.S. senators have sent a letter to Equifax CEO Rick Smith demanding answers to detailed questions about the massive hack, including details such as the timeline for the security breach and when the company became aware of it.

Sen. Orrin Hatch, chairman of the Senate Finance Committee, also asked for information about when authorities and board members were informed of the hack, including three executives who sold shares in the days after the hack was discovered but before it was made public.

This article originally appeared on CNET.

Steven Musil

Steven Musil is the night news editor at CNET News. Before joining CNET News in 2000, Steven spent 10 years at various Bay Area newspapers. E-mail Steven.

Twitter

Disclaimer: The copyright of this article belongs to the original author. Reposting this article is solely for the purpose of information dissemination and does not constitute any investment advice. If there is any infringement, please contact us immediately. We will make corrections or deletions as necessary. Thank you.