Equifax did not fix Apache Struts leak after notification
In a Congressional hearing, former Equifax CEO Richard Smith explained how attackers managed to break into his company’s systems. After the company became aware of a vulnerability in Apache Struts, it was unable to fix it.
According to Smith’s statement, the American Cert had warned about the leak on March 8. An internal email then circulated within Equifax calling for patches to be applied. According to company policy, this should have been done within 48 hours, but it didn’t work out. It is unclear whether the vulnerability was not found or whether a patch failed to implement.
Scans were supposed to have been carried out on March 15 that should have revealed the vulnerability, but that did not happen then either. The leak remained hidden for the rest of that same month, Smith said. It was previously known that the hack on Equifax was carried out via the vulnerability in Apache Struts. The hackers gained access to the company’s network on May 13, according to Smith’s statement, which was detected on July 29 by intercepting suspicious network traffic.
Equifax also announced Monday that the hired security firm Mandiant has completed its investigation. This would show that the total number of potentially affected people increases by 2.5 million Americans, bringing it to 145.5 million people. The investigation would further reveal that there was no access to databases outside the US.