show image

Equifax could have averted its breach if it had patched a bug

Equifax’s massive data breach was caused by a failure to patch a software vulnerability, the credit agency has confirmed.

It posted a progress update for customers on its Equifax Security 2017 site this morning:

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

As the Register notes, the Apache Foundation said this week it issued an update to fix the vulnerability in question on 10 March 2017, around two months before the Equifax breach happened.

The company has so far refused to comment on the number of Brits hit the by the breach, despite several enquiries from NS Tech.

Equifax has set up a site for customers to check if their data was breached, but it requires a social security number, which Brits don’t have.

ClearScore, a British company that partners with Equifax to show 4.9 million people their credit scores, said in a statement: “At this stage, it looks like no UK financial information has been compromised in this attack.”

The Information Commissioner’s Office has urged Equifax to alert customers in Britain who have been affected by the breach.