Equifax Blames Flaw In Database Software For Breach; Backlash Mounts From Consumers, Lawmakers

Equifax, the credit scoring company that suffered a data breach that impacted as many as 143 million Americans, is blaming a vendor software flaw in its online databases.

According to a news report in the The New York Post, hackers were able to steal customers’ data — including Social Security numbers — due to a weakness in open source software developed by Apache Software Foundation. Jeffrey Meuler, an analyst at Robert W. Baird & Co., received those details from the company.

“My understanding is the breach was perpetuated via the Apache STRUTS flaw,” Meuler told The Post. The report noted that the STRUTS open source software system is used by approximately 65 percent of Fortune 100 companies, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot and Showtime.

On Thursday, Sept. 7, Equifax announced that it had experienced a cyberattack incident that may have impacted approximately 143 million U.S. consumers and potentially compromised the credit card numbers of approximately 209,000 people. In a press release detailing the security breach, the company said hackers potentially exploited a vulnerability in a U.S. website application to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017, with no evidence of unlawful activity on Equifax’s consumer or commercial credit reporting databases, the company said in the release.

According to Equifax, the impacted information includes names, Social Security numbers, birthdates, addresses and, in some instances, drivers’ license numbers. The company also reported that 209,000 U.S. consumer accounts were accessed by the hackers, as well as certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, putting them at risk of identity theft.

As part of its investigation, Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents. Equifax noted it is working with U.K. and Canadian regulators to determine appropriate next steps. The company has found no evidence that the personal information of consumers in any other country had been affected by the breach, it said.

News of the cyberattack prompted outrage from consumers and lawmakers alike. Two committees in the U.S. House of Representatives have already said they would hold hearings, reported Reuters, citing a committee spokesman. “This is obviously a very serious and very troubling situation, and our committee has already begun preparations for a hearing,” Rep. Jeb Hensarling, who chairs the Financial Services Committee, said in a statement, as reported by Reuters. “Large-scale security breaches are becoming all too common.”

Meanwhile, Rep. Greg Walden, who is chairman of the Energy and Commerce Committee, told the news service his committee will also hold a hearing to investigate the matter. Pennsylvania Attorney General Josh Shapiro said in a statement that his state, along with Connecticut and Illinois, is leading a collaborative inquiry into the data breach. New York Attorney General Eric T. Schneiderman has also launched his own investigation, noted The New York Times. At last count, five state AGs were looking into the matter.

The paper noted that two class action lawsuits have been filed and that customers impacted by identity theft are unsatisfied with Equifax’s offer of one year of free credit monitoring. Adding to the backlash, three executives at the company — including its CFO — unloaded $1.8 million in shares in the days after the security breach was discovered, the New York Times noted.

Equifax’s future prospects are also expected to take a big hit as a result of the data breach. Another Reuters report cited Moody’s Investors Service as saying the breach will hurt its growth prospects for the next three to four quarters and could tarnish the company’s reputation. Moody’s said that Equifax could face litigation, regulatory action and higher cyber insurance premiums, although the company’s rating and outlook remained stable, noted the report.