The recent data breach suffered by Equifax seems to be due to vulnerability in the open-source Apache Struts Framework, as suggested by a Baird Equity Research report. Equifax has neither publicly confirmed nor denied that the flaw in Apache Struts is the root cause of the incident, though the company has admitted that a Web application vulnerability may be the reason behind the breach.
The Apache Software Foundation said that Struts may have been the reason for the breach that potentially compromised sensitive information for 143 million American consumers. In a statement, René Gielen, vice president of Apache Struts, said, “We are sorry to hear the news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time, it is not clear which Struts vulnerability would have been utilized if any.
Equifax discovered the breach on July 29, 2017, but had waited until after the close of trading nearly six weeks later to disclose the breach to consumers and Equifax’s investors. As part of its investigation of this application vulnerability, Equifax identified unauthorized access to limited personal information for certain UK and Canadian residents. The company found no evidence that personal information of consumers in any other country has been impacted.
Earlier this week, it was reported that shareholder Rights Law Firm Johnson Fistel, LLP (formerly Johnson & Weaver, LLP) is investigating potential violations of the federal securities laws by Equifax Inc. and certain of its officers.