Credit report provider Equifax has revealed more details about the cause of the data breach that exposed personal information for up to 143 million Americans. The company said that attackers exploited its website through a vulnerability in the Apache Struts web development framework. Specifically, the attackers used a known vulnerability called CVE-2017-5638.
A fix for the security bug first became available March 10 and was later updated. Equifax had not yet applied the patch in mid-May when unauthorized access of its systems began. The company discovered the intrusion July 29 but though it was “limited,” its CEO said.
“We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Equifax CEO Richard F. Smith said. “We will make changes and continue to strengthen our defenses against cyber crimes.”