Equifax Troubles Deepen Amid New Disclosure About Breach

FILE - This July 21, 2012, file photo shows Equifax Inc., offices in Atlanta. On Monday, Sept. 11, 2017, Equifax said it has made changes to address customer complaints since it disclosed a week earlier that it exposed vital data on about 143 million Americans. Equifax has come under fire from members of Congress, state attorneys general, and people who are getting conflicting answers about whether their information was stolen. Equifax is trying again to clarify language about people’s right to sue, and said Monday it has made changes to address customer complaints. (AP Photo/Mike Stewart, File)

FILE – This July 21, 2012, file photo shows Equifax Inc., offices in Atlanta. On Monday, Sept. 11, 2017, Equifax said it has made changes to address customer complaints since it disclosed a week earlier that it exposed vital data on about 143 million Americans. Equifax has come under fire from members of Congress, state attorneys general, and people who are getting conflicting answers about whether their information was stolen. Equifax is trying again to clarify language about people’s right to sue, and said Monday it has made changes to address customer complaints. (AP Photo/Mike Stewart, File)

Credit agency Equifax traced the theft of sensitive information about 143 million Americans to a software flaw that could have been fixed well before the burglary occurred, further undermining its credibility as the guardian of personal data that can easily be used for identity theft.

Equifax identified a weakness in an open-source software package called Apache Struts as the technological crack that allowed hackers to heist Social Security numbers, birth dates, addresses and full legal names from a massive database maintained primarily for lenders. The disclosure, made late Wednesday, cast the company’s damaging security lapse in an even harsher light. The software problem was detected in March and a recommended software patch was released shortly afterward. Equifax said the database intrusion began in May and continued until July. Security experts said Equifax had more than enough opportunity to block intruders by sealing the security hole.

“There is no excuse for not following basic cybersecurity hygiene,” said Nate Fick, CEO of the security firm Endgame. “Some heads should definitely roll for this; it’s only a question of how many.”

Equifax was already under fire for not disclosing the break-in until September 7, nearly six weeks after the company discovered it, as well as for its handling of consumer inquiries about their exposure whether their personal information had been compromised and how they could protect their identities. A proposal to impose sweeping reforms on Equifax and its two main peers, TransUnion and Experian, also has been drawn up by Rep. Maxine Waters (D-CA).