Equifax, the major credit reporting agency which collected extensive financial data on hundreds of millions of Americans before losing said data on 143 million of those people to hackers, has finally explained what went wrong.
Photo: AP
You are so not going to like it.
In a post on a website designed to spread information on how the company is handling the hack, Equifax said it had tracked down the vulnerability:
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
As Ars Technica noted, Apache Struts is a “framework for developing Java-based apps that run both front-end and back-end Web servers” which is extremely popular with financial institutions.
The bug in question was fixed with a patch on March 6. Soon afterwards, hackers began exploiting it en masse and didn’t let up.
Equifax claims to have learned of the breach in May.
That is months after the vulnerability was known and easily fixed with an update.
Ahem. Explain to me why we need powerful, unaccountable financial institutions that are allowed to stockpile huge amounts of exploitable information on virtually every American, again?