EQUIFAX HAS BLAMED an unpatched flaw in the Apache Struts Web Framework for last week's breach that exposed the social security numbers and other personal details of 143 million Americans
Over on its ironically-named Equifax Security website, the company confirms a report from equity research firm Baird, which last week claimed that a widely-exploited Apache flaw was to blame for the breach.
"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted," the credit reporting outfit said.
"We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."
The cited Apache Struts flaw dates back to March and a patch was promptly released on 6 March, two months before Equifax learnt of a breach of its systems. This suggests that the firm did not install the security updates, despite demonstrable proof that the flaw gave attackers an easy way to take control of websites containing sensitive data.
This fact becomes less surprising after hearing, courtesy of Brian Krebs, that Equifax's Argentinian website left administrator access guarded by the user/password login combination of, er, admin/admin.
These credentials allowed anyone to add or remove employee accounts for the system, as well as see their passwords by simply viewing the source of a web page, or access the personal data of anyone - including their DNI the Argentinian equivalent of the Social Security number - who had ever disputed a report.
Equifax Chief Executive Richard Smith is expected to testify before a US House of Representatives panel on 3 October after nearly 40 states joined a probe of the company's handling of the breach.
Elsewhere, a chatbot originally developed to overturn parking fines has been re-purposed to help customers affected by the Equifax data breach sue the company, with its creator hoping to "bankrupt" the company. µ
But we probably won't see it until next year
Why stick a finger in a dyke when you can ram the entire boy in the hole, eh?
Reminds us that we're supposed to be able to trust them
'Exclusive' model starts shipping on 29 June