Flaw on Equifax system was exposed over 6 months ago

As UK consumers face a wall of silence about whether their information has been compromised in last week’s data breach at Equifax, the company has admitted it was hacked through a weakness widely discussed in cyber security circles six months ago.
In an update posted to its website last night, Equifax said that the criminals had exploited a vulnerability in Apache Struts, an open-source framework for developing web applications.
But Oege de Moor, chief executive and founder of Semmle, a software analytics provider based in San Francisco, told the Financial Times that the flaw had been disclosed by the Struts project in March, along with “clear and simple” instructions on how to fix it.
Many companies had reacted promptly, he said, including networking group Cisco, which put out a full account of the products that were affected by the vulnerability within 48 hours.
De Moor added: “Forward-looking companies, which have the right procedures in place reacted to the disclosure by taking remedial action. The fact that Equifax [was] attacked in May means that [it] did not follow that advice. Had they done so, this breach would not have occurred.”
The move follows growing criticism of the company’s handling of the breach in the UK. Despite admitting that British consumers have been affected, the website which the company has set up for concerned customers asks users to enter a US social security number to find out if they are affected by the data breach, it is of no use to anyone in the UK.
BT is among a number of British businesses that work with Equifax, using its databases to assess the creditworthiness of customers. But it too appears to be in the dark about just how much data was affected by the breach.
The UK Information Commissioner’s Office also appears to be none the wiser, simply referring enquiries back to the statement it released late week.
The company’s share price has crashed by over 30% since the breach was reported.