In a press release published late Friday night, credit rating and reporting firm Equifax revealed new details about the security breach that exposed the personal details of over 143 million users, and also announced the immediate retirement of two high-ranking executives.
Equifax says that breach came to light on July 29 when its security team observed suspicious traffic from its US online dispute portal. Its security team blocked the traffic, but the next day, July 30, more suspicious activity was discovered.
Realizing that something was wrong, Equifax's security team immediately brought down the server running the US online dispute portal web application.
Following an internal review, the company realized that attackers breached the server via a vulnerability in the Apache Struts Java framework that it was powering the underlying US online dispute portal. After patching the application, Equifax brought the web portal back online.
Equifax says that three days later they brought in cyber-security firm Mandiant — part of FireEye — the go-to company when it comes to investigating cyber-security incidents.
It was with Mandiant's help that Equifax discovered the breach. According to new revelations, Equifax says investigators found evidence suggesting that attackers had access to its network from May 13 through July 30, 2017.
With this new information available we can see that the breach took place because of Equifax's failure to patch its Struts-based applications.
The Struts vulnerability used in the attack was CVE-2017-5638. This was not a mundane flaw. At the time of its discovery, it had announceda zero-day status, meaning it was already being used in attacks before a patch was available.
The vulnerability got a lot of media coverage and the Department of Homeland Security's CERT team also issued an alert.
In its recent statement, Equifax said it was aware of the vulnerability when it was first discovered and a patch was made available in March. Equifax said it "took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure," but it seems they might have missed a few systems.
The following data has been currently confirmed as exposed by Equifax officials:
On Friday, Equifax also announced the immediate retirement of two high-ranking executives.
Chief Information Officer David Webb will be replaced by Mark Rohrwasser, the company's current lead over International IT operations.
Chief Security Officer Susan Mauldin will be replaced by Russ Ayres, who previously served as Vice President in the IT organization.
Mauldin has been heavily criticized following the breach. Initially, she was attacked because she deleted her LinkedIn profile. Equifax also took some blame, for hiring Mauldin, a music major. Some infosec experts believe Mauldin's criticism to be unfair [1, 2, 3].