Equifax security breach blamed on known web vulnerability in Apache Struts
It’s been a hard week for Equifax, and it’s about to get worse. After announcing one of the largest and potentially most damaging data breaches in digital history last week, the credit reporting service is now pointing the finger at a web vulnerability in the Apache Struts framework used in their web servers. The big problem? The vulnerability was publicly announced back in March, two months before the hack occurred.
Apache Struts is a popular framework used by several large corporations to develop Java-based apps designed to run front- and back-end websites and servers. The exploited vulnerability in the framework is nothing new; when it was announced on March 6, hackers quickly took advantage of the security hole to access the web servers of other large corporations. However, a patch was quickly made available to Apache Struts users, who would need to download the patched version and rebuild their web servers accordingly.
As Experian is a massive corporation that produces billions of dollars in revenue, it’s very unlikely that the credit service lacked the capital or capacity to install the patch. Experian discovered the hack on July 29th and disclosed that their servers were accessed as far back as May, which gave Experian two months to fix the security hole.
The Experian hack is one of the most damning to date. Hackers gained access to several pieces of identifying information of over 143 million U.S. consumers. This includes Social Security numbers, first and last names, home addresses, and even driver’s license numbers. This information could be used for fraud, particularly financial fraud; most banks and credit card companies require nothing more than a social security number and driver’s license to open an account. Experian has offered free credit monitoring services and credit freezes to affected individuals.