Credit reporting agencies hold valuable information on customer’s so they can provide them with a credit score; in the wrong hands, this very same data can adversely affect its rightful owner. Due to a failure to keep their systems fully patched, the Equifax data breach left millions of identities vulnerable to the modern world. This article describes how and why the breach occurred.
During the months of May and July 2017, hackers were able to make their way into Equifax’s data systems through an unpatched flaw in their database. This vulnerability allowed attackers access to Equifax’s 143 million customer’s sensitive information. Stolen information includes: drivers license numbers, addresses, birth dates, and social security numbers. Often times, many of these individual components of information are useless, but when its all neatly compiled together, its value increases exponentially according to the associated credit score.
The exploit happened via Apache Struts, a popular open-source web application used among top credit reporting agencies to create Java web applications. The web application used a plugin that pulled information from a library program called XStream, which converts customer information into storable data. This plugin is where many believe the hack took place. A malicious code was inserted the XStream plugin that allowed unauthorized access to the database.
Experts say the breach could have been prevented had Equifax kept their systems patched and updated. Failure to keep their systems updated ultimately allowed hackers a two month timeframe to “pwn” the system. Equifax did not find out about the breach until July 29, 2017 and failed to mention anything about the hack until September 7, 2017.
Overall, the hack on Equifax was very damaging to the company and its customers. A substantial amount of valuable information was lost, and many customers were put at risk of possible identity theft. It is reasonable to say that the hack, or the risk of one, could have been prevented had the security software of Equifax been kept up to date, and if administrators responsible for the oversight of the company’s online security had taken more decisive action in identifying the breach and working to stop it. Although Equifax did hire a private cybersecurity firm to investigate the nature of the hack and its effects, the company did not publicly announce that the information of millions of its customers had been possibly compromised.