From Bruce Schneier's newsletter:
Quote:
This was not a sophisticated attack. The security breach was a result of
a vulnerability in the software for their websites: a program called
Apache Struts. The particular vulnerability was fixed by Apache in a
security patch that was made available on March 6, 2017. This was not a
minor vulnerability; the computer press at the time called it
"critical." Within days, it was being used by attackers to break into
web servers. Equifax was notified by Apache, US CERT, and the Department
of Homeland Security about the vulnerability, and was provided
instructions to make the fix.
Two months later, Equifax had still failed to patch its systems. It
eventually got around to it on July 29. The attackers used the
vulnerability to access the company's databases and steal consumer
information on May 13, over two months after Equifax should have patched
the vulnerability.