Negligence! If they would have patched their server(s) the day the patch was released this would have never happened.
This is inexcusable! Heads should roll. Maybe it’s time some people go to jail for this kind of sh^t.
Dan Goodin, writing for Ars Technica 9/13/2017, 8:12 PM
We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.
Up to now, Equifax has said only that criminals exploited an unspecified application vulnerability on its US site to gain access to certain files. Now, we know that the flaw was in Apache Struts and had been fixed months before the breach occurred.