Equifax vulnerabilityBarely a week old, the Equifax data breach has already become one of the most infamous of them all, thanks to a host of problems with the company’s disclosure and recovery efforts, rumors of employees using inside knowledge of the breach to profit and the sense of helplessness the whole thing has instilled in those whose information may have been exposed. At the beginning of the week, Equifax published the first of what seems will be a great number of progress updates, as it has made several additional updates since. One of these recent updates included further details regarding the U.S. website application vulnerability which enabled hackers to gain access, and it answered some questions while invoking many more. To help you understand the newly revealed information on how this hack happened in the first place, we go over the details as well as some of the top questions they bring to mind.

How did hackers access the Equifax data?

In its initial statement on the breach, Equifax said that the unknown attackers used a U.S. website application vulnerability to access certain consumer information, ranging from people’s names and social security numbers to the data from more than 200,000 credit cards. An update posted on Sept. 13 provided more detail on this security flaw, identifying it as Apache Struts CVE-2017-5638. The Apache Software Foundation, which manages the open-source software used by Equifax and numerous other companies known as Apache Struts, released its own statement confirming this. The security flaw in question was first brought to light on March 7, 2017 by cybersecurity researchers who brought the flaw — and a fix for it — to the Apache Software Foundation’s attention. This flaw is what’s known as a “zero-day” exploit, meaning hackers discovered and exploited it (or figured out how to do so) before the vendor itself knew of its existence. Within the day, the flaw had been patched, and by March 10, all companies using the software were notified of the risks posed by Apache Struts CVE-2017-5638 and made aware that updates were available to rectify the vulnerability.

Why wasn’t this Equifax vulnerability updated immediately?

It is unclear whether or not Equifax did update its software before the security breach two months later in mid-May, but the fact that it was exploited at all points to a worrying lack of cybersecurity standards at the credit bureau. Although patching a security flaw can be time-consuming and sometimes expensive, companies that ignore necessary updates run the risk of falling victim to hackers who are aware of these so-called “zero-day” exploits and target them. It should be noted that both Experian, one of the other three major credit reporting bureaus, and the government-operated AnnualCreditReport.com were also vulnerable to the Apache Struts CVE-2017-5638 flaw. We can only hope that they updated their applications straight away upon notification from Apache, rather than sitting on it like Equifax seems to have done. Updating your systems is a basic tenant of good cybersecurity, one that is important for individuals as well as businesses to practice. As we are learning from this Equifax vulnerability, the consequences can be dire.

Was all of the data stolen in the same time period?

Cybersecurity researcher Brian Krebs noted that some of the information provided by confidential Visa and MasterCard alerts, which the two credit card issuers sent to the financial institutions they underwrite regarding the approximate 209,000 credit cards that were stolen in this breach, seemed to be pointing toward data being compromised as early as November 2016. However, further investigation determined that it is more likely that all of the data, credit cards included, was stolen in one fell swoop during the mid-May intrusion when the hackers accessed a storage table containing historical credit card transaction-related information. That said, it is still possible that other breaches of Equifax’s website occurred, especially given that this breach stems from a vulnerability the credit bureau failed to update in a timely manner — some might wonder what other security updates were put off or forgotten in the past. An update to Krebs’ post on this topic indicates that Visa’s advisory has been updated as of Sept. 15 to state that in addition to credit card details including credit card numbers, customer names and expiration dates, it believes social security numbers and addresses were stolen — meaning it is possible that these stolen accounts belonged to people who signed up for Equifax credit and identity monitoring.

Why are some people having difficulty accessing the Equifax site now?

Throughout the past week, numerous parts of the Equifax website have experienced outages or errors due to an increase in traffic. On Sept. 13, Equifax posted an update stating its signup page for placing a credit freeze was down for approximately an hour at 5:00 p.m. ET so it could fix some problems. As of Sept. 15, the credit bureau noted that it was still experiencing technical issues as a result of the high volume of people requesting credit freezes. It should be noted that if you are attempting to place a request for a credit freeze of your Equifax credit file online, you might not receive your 10-digit PIN immediately, and instead be forced to call Equifax to obtain it. For more information on placing a credit freeze with Equifax and the other two major credit bureaus, keep your eyes peeled for a future post on our site outlining what you need to know.

Will Equifax be prosecuted as a result of this data breach?

One of the big questions we’re all asking is whether or not Equifax will be punished for this catastrophic failure to protect consumer information or let go with a slap on the wrist. As of now, both the Federal Trade Commission as well as the Consumer Financial Protection Bureau have opened investigations into the matter. Equifax CEO Richard Smith has agreed to testify at the first congressional hearing focused on the breach in early October. Additionally, pressure has come from a number of government players for something to be done — notably, Sen. Elizabeth Warren has proposed a bill which would make sure all credit freezes were free, ensuring Equifax (and other credit bureaus in the future) don’t profit off of this breach. Another group of senators sent a letter to the FTC urging an investigation into the allegations that some Equifax employees sold shares in the company just prior to the data breach becoming public knowledge; as of Sept. 15, both Equifax’s chief information officer and its chief security officer have announced they are retiring. Time will tell whether or not any other employees or board members will follow suit. It will likely be a while before any formal charges are made or penalties given, but the good news is that the U.S. government is taking this breach very seriously and making moves to ensure that the credit bureau is punished for any and all wrongdoing.

We are continuing to follow this developing story, and you can keep up with our posts by following our Equifax breach blog. If you want to learn more about protecting your credit and identity, head over to our identity theft protection blog.