Notebookcheck Logo

Equifax security breach blamed on known web vulnerability in Apache Struts

Image: Equifax
Image: Equifax
One week after announcing a major data breach affecting over 143 million consumers, Equifax is pointing blame at a security vulnerability in the Apache Struts web framework. However, the vulnerability was publicly announced in March and a patch was available months before the attack.

It’s been a hard week for Equifax, and it’s about to get worse. After announcing one of the largest and potentially most damaging data breaches in digital history last week, the credit reporting service is now pointing the finger at a web vulnerability in the Apache Struts framework used in their web servers. The big problem? The vulnerability was publicly announced back in March, two months before the hack occurred.

Apache Struts is a popular framework used by several large corporations to develop Java-based apps designed to run front- and back-end websites and servers. The exploited vulnerability in the framework is nothing new; when it was announced on March 6, hackers quickly took advantage of the security hole to access the web servers of other large corporations. However, a patch was quickly made available to Apache Struts users, who would need to download the patched version and rebuild their web servers accordingly.

As Experian is a massive corporation that produces billions of dollars in revenue, it’s very unlikely that the credit service lacked the capital or capacity to install the patch. Experian discovered the hack on July 29th and disclosed that their servers were accessed as far back as May, which gave Experian two months to fix the security hole.

The Experian hack is one of the most damning to date. Hackers gained access to several pieces of identifying information of over 143 million U.S. consumers. This includes Social Security numbers, first and last names, home addresses, and even driver’s license numbers. This information could be used for fraud, particularly financial fraud; most banks and credit card companies require nothing more than a social security number and driver’s license to open an account. Experian has offered free credit monitoring services and credit freezes to affected individuals.


static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2017 09 > Equifax security breach blamed on known web vulnerability in Apache Struts
Sam Medley, 2017-09-14 (Update: 2017-09-14)