Equifax hackers used flaw IDd in March
The Federal Trade Commission has become the latest authority to announce an investigation into the huge security breach at credit agency Equifax — a breach that could have been fixed months before it occurred.
The FTC said Thursday that it is opening an investigation into how Equifax got hacked and tens of million Americans’ personal information was either accessed or stolen. Typically the FTC does not disclose who it is investigating, but the agency said the high amount of attention in this case made it necessary.
Equifax disclosed last week that hackers were able to access the personal information of 143 million Americans, including critical things like Social Security numbers, birth dates, addresses and full legal names. Equifax is one of three major credit bureaus that keep track of the financial affairs of U.S. consumers in order to help banks make decisions on lending, tracking credit card balances to payment history to court judgments. The other two main credit bureaus are TransUnion and Experian.
“In light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,” Peter Kaplan, acting director of public affairs at the FTC, said in a statement.
The FTC is not the only Washington authority looking into the breach. The Consumer Financial Protection Bureau previously announced its own investigation, and the House Financial Services Committee plans to hold hearings on the breach in early October. Politicians from both major parties are calling for additional investigations by Congress or the Department of Justice.
As the FTC looks into how Equifax was hacked, the company issued an update late Wednesday blaming the breach on a weak link that computer security experts say should have been fixed long before the break-in occurred.
Equifax said the hackers took advantage of an opening by a flaw in a piece of open-source software called Apache Struts. The problem was identified in March, and a patch was released shortly afterward.
The intrusion into Equifax’s computer systems began in May and continued until late July. It wasn’t clear from Equifax’s disclosure whether the company applied the patch and it didn’t work, or whether its security department simply ignored the warning about the problem.
Computer security expert Nate Fick called Equifax’s failure to address the problem a “massively egregious” breakdown that should result in the ouster of the company’s top executives.
“There is no excuse for not following basic cybersecurity hygiene,” said Fick, CEO of security specialist Endgame.