Equifax's latest update on its unprecedented security breach notifies the public that its investigation has found the cause of the theft. Along with an unnamed security firm (ZDNet and others have reported it's Mandiant) the company confirmed rumors that attackers exploited a flaw in the Apache Struts Web Framework. That bug, CVE-2017-5638, was revealed in March, but the criminals were still able to use it against Equifax to steal personally identifiable information (PII - including names, birth dates, social security numbers and more) for 143 million people in the US in mid-May.
A failure to patch a known security hole becomes more believable after hearing about an egregious security hole discovered just this weeks. Brian Krebs reports on a situation discovered by Hold Security, where Equifax's Argentinian website left administrator access (including databases of consumer's personal information) guarded by the ultra-difficult user/password login combo of admin/admin. It allowed anyone to add or remove employee accounts for the system, as well as see their passwords by simply viewing the source of a webpage, or access the personal data of anyone (including DNI -- their equivalent to a social security number) who had ever disputed a report.
The site was taken offline after Krebs notified Equifax, but the existence of such an easily-accessed security hole is troubling. According to Reuters, over 40 US states have joined a probe against the company, and its CEO is expected to testify before a House of Representatives panel on October 3rd.