An attack on Equifax which resulted in the private data of 143 million people being exposed was due to an old vulnerability that should have been patched, Ars Technica reported.
Equifax is a consumer credit reporting agency which collects and aggregates information on consumers and businesses.
“Equifax has been intensely investigating the scope of the intrusion with the assistance of a cybersecurity firm to determine what information was accessed and who has been impacted,” it stated.
“We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation.”
Apache Struts is an open-source web application framework for developing Java web applications. It is used by banks, government agencies, and companies – including other credit reporting services.
Ars Technica noted that the vulnerability was patched over two months ago, suggesting the breach could have been prevented.