Equifax Update

Details of the recent EquifaxInc. breach are continuing to emerge.  We now know that the intrusion was accomplished by exploiting the Apache Struts web vulnerability (CVE-2017-5638), which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header. 

A security patch for the flaw in the open source Apache Struts 2 framework was available as early as March 6th, more than two months before the Equifax hack began.  So far, Equifax representatives have declined to answer questions about why this known vulnerability went unpatched for so long.  The fix is known to be complex and labor intensive, which may have contributed to the delay in closing the security hole in Equifax web servers and applications.

Difficulty aside, it now seems clear that the Equifax breach—which impacted nearly half of the adults in the United States—was entirely preventable.

On September 15th, Equifax announced that the company’s Chief Security Officer, Susan Mauldin, and its Chief Information Officer, David Webb, were retiring “effective immediately.”