Equifax said Wednesday a months-old but apparently unpatched web server vulnerability allowed the massive data breach that exposed the personal financial information for roughly half the US population.
Equifax said it identified Apache Struts CVE-2017-5638, a flaw that was first identified on March 6, as the hack's gateway. The company located the problem with the help of an unidentified cybersecurity firm. Patches for the vulnerability were made available less than a week later.
It wasn't immediately clear why the flaw still existed on Equifax's servers in mid-May when the massive, months-long hack began. Equifax representatives didn't respond to a request for comment.
The revelation of an unpatched vulnerability raises further questions about the hack, which the credit-reporting firm revealed less than a week ago. Hackers made off with a treasure trove of financial data from as many as 143 million people in the US, including names, Social Security numbers, birth dates and addresses of customers. Equifax learned about the breach on July 29 but didn't reveal it for more than a month.
The breach, which was particularly potent because one company held such a large amount of sensitive information, is among the largest in US history and the biggest known leak of 2017. Yahoo lost data on roughly a record 1 billion accounts in 2013, the web portal said last year.
The company has been under intense scrutiny since the hack was revealed on Sept. 7. A pair of influential US senators have sent a letter to Equifax CEO Rick Smithabout the massive hack, including details such as the timeline for the security breach and when the company became aware of it.
Sen. Orrin Hatch, chairman of the Senate Finance Committee, also asked for information about when authorities and board members were informed of the hack, including three executives who sold shares in the days after the hack was discovered.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
Logging Out: Welcome to the crossroads of online life and the afterlife.