Massive breach at Equifax

© iStock.

Equifax, the credit reporting company that has collected and analyzed the personal data of 800 million consumers applying for credit, has experienced a massive breach and the exposure of data related to some 190 million accounts (including 143 million in the United States). The major breach was announced some time after the fact, and not before three members of upper management had sold their shares. Several class-action suits are currently underway. The data was hacked through a Web application built on the Apache Struts framework, which had a flaw allowing code to be executed remotely. The vulnerability was discovered in March and quickly fixed by Apache. In the days following the announcement of the bug, several Web sites experienced attacks, which were widely reported in specialized media. Equifax has stated that its attack occured in mid-May, i.e. two full months after the issuance of the security fix, which would indicate a certain insouciance on the part of their technical team. A black eye for the trustworthiness of a company that rates … trustworthiness.

⇨ Ars Technica, “Failure to patch two-month-old bug led to massive Equifax breach.”