NEW YORK – Equifax was reportedly hacked five months before its first disclosed date.
Bloomberg reported Monday that Equifax had a major breach of its computer systems in March.
“The company said the March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders. Either way, the revelation that the 118-year-old credit-reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations and announced the retirement of two of its top security executives on Friday,” Bloomberg reported.
PREVIOUS STORY:
How the Equifax data breach happened:
Much is still unknown. But it came down to a flaw in a tool designed to build web applications, the company said in a press release this week. And Equifax admitted it was aware of the security flaw a full two months before the company says hackers first gained accessed to its data.
Some of the information hackers had access to includes names, Social Security numbers, birth dates, addresses and some driver’s license numbers.
The tool is called Apache Struts, and it’s used by many large businesses and government organizations. Equifax used it to support its online dispute portal — where Equifax customers go to log issues with their credit reports. The flaw allowed hackers to take control of a website.
A cybersecurity arm of the U.S. Department of Homeland Security, US-CERT, “identified and disclosed” the Apache Struts flaw in March, Equifax said in a statement.
And the company’s security department “was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems.”
Yet, according to the company, hackers exploited the flaw months later.
Equifax has said it discovered the data breach on July 29. On Friday, it said it waited until it “observed additional suspicious activity” a day later to take the affected web application offline.
And on August 2 Equifax contacted Mandiant, a professional cybersecurity firm, to help the company assess what data had been compromised.
With help from Mandiant, Equifax was able to determine a series of breaches had occurred from May 13 through July 30, the company said.
Patching software at big corporations with many machines does take time. They must first identify the vulnerability, then implement and test the patch to make sure it doesn’t break anything before making it public.
However, security experts say Equifax should have moved faster.
“There’s really no excuse whether it’s a difficult patch or not, for an organization of that size with that kind of magnitude of data,” said Jon Hendren, director of strategy at security firm UpGuard. “When you’re a big organization like that, it’s a systemic failure of process and the blame goes straight to the top.”
Equifax has also been widely criticized for waiting more than a month to alert its customers and shareholders about the hack.
On Friday, the company announced its chief information officer and chief security officer are “retiring.”