Equifax blames months-old web server flaw for allowing hack

Patches published months before the massive hack began apparently weren't applied before the hack.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Online Security Concept

Equifax says a vulnerability known publicly since early March allowed hackers to begin stealing personal information on as many as 143 million Americans two months later.

Getty Images

Equifax said Wednesday a months-old but apparently unpatched web server vulnerability allowed the massive data breach that exposed the personal financial information for roughly half the US population.

Equifax said it identified Apache Struts CVE-2017-5638, a flaw that was first identified on March 6, as the hack's gateway. The company located the problem with the help of an unidentified cybersecurity firm. Patches for the vulnerability were made available less than a week later.

It wasn't immediately clear why the flaw still existed on Equifax's servers in mid-May when the massive, months-long hack began. Equifax representatives didn't respond to a request for comment.  

The revelation of an unpatched vulnerability raises further questions about the hack, which the credit-reporting firm revealed less than a week ago. Hackers made off with a treasure trove of financial data from as many as 143 million people in the US, including names, Social Security numbers, birth dates and addresses of customers. Equifax learned about the breach on July 29 but didn't reveal it for more than a month.

The breach, which was particularly potent because one company held such a large amount of sensitive information, is among the largest in US history and the biggest known leak of 2017. Yahoo lost data on roughly a record 1 billion accounts in 2013, the web portal said last year.

The company has been under intense scrutiny since the hack was revealed on Sept. 7. A pair of influential US senators have sent a letter to Equifax CEO Rick Smith demanding answers to detailed questions about the massive hack, including details such as the timeline for the security breach and when the company became aware of it.

Sen. Orrin Hatch, chairman of the Senate Finance Committee, also asked for information about when authorities and board members were informed of the hack, including three executives who sold shares in the days after the hack was discovered.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.