It’s been a week since credit reporting agency Equifax admitted it had lost sensitive personal data for 143 million American consumers — one of the worst data breaches yet. Now, the company says it knows how the intruders got in… and it’s through a bug that was first identified six months ago.
Equifax updated its breach information page this week to identify the vulnerability malicious actors were able to use to get access to all that juicy private data.
The issue was in the Apache Struts framework, code used to develop and run Java-based apps for web servers. Loads of companies, including other banks and credit reporting agencies, rely on versions of Apache Struts to work.
Ars Technica reported on the vulnerability in early March. Means of exploiting the vulnerability were “trivial, reliable, and publicly available,” Ars noted at the time, making the flaw high-impact, high-visibility, and leaving major sites vulnerable to an increasing wave of attacks.
By the time Ars ran that story on March 9, Apache had already issued a patch. And yet by the time the big breach began two months later, in mid-May, Equifax had apparently still not updated, since its systems were vulnerable to that flaw.
Ars notes that applying this particular patch is “labor intensive and difficult,” due to the way the software works. But clearly the worse-case outcome of not doing it has proven to have massive consequences for not only nearly half the entire U.S. population, but tens of millions of people around the world as well.
In an extremely unusual move, the Federal Trade Commission has confirmed that it has opened an investigation into the circumstances of the Equifax breach.
“The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,” an agency spokesman told media.
The FTC is responsible for overseeing business compliance with laws that require credit reporting agencies to keep non-public personal information, well, non-public. So although it’s exceedingly rare for the Commission to confirm an investigation has been opened, it’s also unsurprising they would do so in this case.
Virginia Senator Mark Warner on Wednesday sent a letter [PDF] to the FTC requesting it launch an investigation into the massive data breach.
“Aspects of this breach raise questions about the data security practices of Equifax that implicate the FTC’s existing authority,” Warner wrote. The Senator also called out several of “Equifax’s post-breach actions,” including poor site management of the breach notification portal, weak user PINs for credit freezes, and confusing notification to consumers who just wanted to know if they were hit.
“Taken as a whole, and given past breaches by other major credit bureaus, these lapses may potentially represent a systemic failure by firms currently incentivized to collect and store highly sensitive identification and financial data for Americans,” Warner said. “I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.”
In the wake of consumer complaints and media coverage, Equifax says this week it has updated call center support, added clarification about mandatory binding arbitration, and revamped the way it issues PIN codes to consumers placing freezes on their credit.
We’ve asked Equifax for a comment and will update if we hear back.