A massive data breach of credit equity firm Equifax has potentially impacted 143 million customers.
As Equifax released in a statement, cyber criminals exploited a web application vulnerability to gain unauthorized access to files between mid-May through July 2017.
Equifax stated there was no evidence of unauthorized activity on their core consumer or commercial credit reporting databases, but summarized the impact to customers on their website:
“The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.”
Attackers exploited an Apache Struts vulnerability CVE-2017-5638 that was patched in March 2017.