Consumer credit reporting agency Equifax has told the Government Accountability Office that the company’s failure to identify and patch a critical software vulnerability, and correctly configure a crucial security system led, in part, to the massive 2017 data breach that compromised the personal information of millions of Equifax customers.
Equifax officials acknowledged that it was not able to identify the presence of the Apache Struts vulnerability on one of its client-facing portals in time, which gave cyber attackers an opportunity to penetrate the company’s systems, the GAO said in a recently-published audit report.
Company officials also admitted failing to update the digital certificate of a security system which, if properly configured, would have alerted Equifax information technology officers about unusual network traffic emanating from compromised servers, the GAO reported.
In October last year, Equifax determined that 145.5 million of its customers were affected by the breach, but this March identified another 2.4 million affected customers from the U.S., the GAO said.
Equifax later learned that some of the 2.4 million were already included in the initial count, but as of August, the company has yet to issue a revised total, the GAO noted.