Equifax, the US credit-reporting group at the centre of a huge data breach, has said that it was hacked via a weakness widely discussed in cyber security circles six months ago. The admission is likely to amplify criticism of its lax defences.
The Atlanta-based company said last week that hackers broke into its vaults in mid-May to steal names, social security numbers, dates of birth and other identifying information for 143m Americans, along with more than 200,000 sets of credit card numbers.
Since then, shares in the company have fallen about 30 per cent amid calls for hearings on the affair in both chambers of Congress, state-level investigations and a flurry of private lawsuits.
Late on Wednesday, in an update posted to its website, Equifax said that the criminals had exploited a vulnerability in Apache Struts, which is a popular open-source framework for developing web applications in the Java programming language.
But Oege de Moor, chief executive and founder of Semmle, a software analytics provider based in San Francisco, noted that the weakness — known by the code CVE-2017-5638 — had been disclosed by the Struts project in March, along with “clear and simple” instructions on how to fix it.
“The fact that Equifax [was] attacked in May means that [it] did not follow that advice,” he said. “Had they done so, this breach would not have occurred.”
Equifax could not be reached for comment.
The disclosure is likely to heighten pressure on the company and Richard F Smith, its chief executive, who last week said that Equifax did not realise it had been breached until late July.
Earlier on Wednesday, a bipartisan group of US senators called for sweeping federal investigations of Equifax over stock sales by company executives “within days” of the discovery of the raid.
In a joint letter to the Securities and Exchange Commission, the US Department of Justice and the Federal Trade Commission, the 36 senators — led by Democrat Jack Reed of Rhode Island and Republican John Kennedy of Louisiana — called published reports of such stock sales “disturbing” and urged a probe of potential violations of insider trading laws.
The lawmakers also asked for regulators’ findings on “whether Equifax management employed reasonable measures to ensure the security of the now compromised data”.
“We request that you spare no effort in your investigations and in enforcing the law to the fullest extent against anyone who is found to be at fault,” they wrote.
Mr de Moor of Semmle said that his group had disclosed a new Struts vulnerability (CVE-2017-9805) to the cyber security community last week, jointly with the Struts developers. Many companies reacted promptly, he said, singling out Cisco, the networking group, which put out a full account of the products that were affected by the vulnerability within 48 hours.
“Forward-looking companies, which have the right procedures in place . . . reacted to the disclosure by taking remedial action,” he said.