kentoh - Fotolia

Equifax confirms massive data breach was result of missed patch

Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems

Equifax has admitted the breach of its systems that has seen the personal data of well over 100 million people compromised was the result of a known website vulnerability that it failed to patch.

In a brief update statement, Equifax said it had been “intensely investigating” the scope of the intrusion with the help of an undisclosed cyber security firm – thought to be Mandiant – to find out exactly what information was accessed and whom it belongs to.

“We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638,” it said. “We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Apache Struts is an open-source model-view controller (MVC) framework for building Java web applications, and is well used across the financial services sector. The vulnerability causes it to mishandle file upload, which enables malicious actors to execute arbitrary commands via a command string in a crafted content-type HTTP header.

This was first highlighted in March 2017, and patches were subsequently released for it. However, the Equifax breach began in May, which would seem to suggest the organisation did not bother to apply the updates to its systems.

Since news of the breach emerged, it has also emerged that the incident may have resulted in many more Britons than at first suspected having their data compromised – around 44 million by some estimates.

This is because even if people do not directly purchase Equifax’s consumer services themselves, some of their sensitive personal data is almost certainly held by enterprises, which use its corporate services to check credit scores for loans, for example.

Read more about the Equifax breach

  • Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
  • While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify customers of a problem much sooner.

“We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised,” said ICO deputy commissioner James Dipple-Johnstone.

“We will be advising Equifax to alert affected UK customers at the earliest opportunity. In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”

Equifax received further negative publicity thanks to a clause in the terms and conditions that said those customers signing up for its free credit file monitoring and identity theft protection service as a result of the hack would waive their rights to take part in any class action lawsuit against the organisation.

As a result of this, it has now taken further action to amend the conditions associated with the TrustedID Premier service.

“We have removed that language from the TrustedID Premier terms of use and it will not apply to the free products offered in response to the cyber security incident or for claims related to the cyber security incident itself,” said Equifax. “The arbitration language will not apply to any consumer who signed up before the language was removed.”

Equifax is continuing to provide information for customers on its website.

Read more on Data breach incident management and recovery