UPDATED Friday, Sept. 15, with comment from Experian.
American consumers might soon have another massive data breach to worry about. At least one website run by the major credit-reporting agency Experian may be vulnerable to the same attack that caused the Equifax data breach, British security researcher Kevin Beaumont says.
In a blog post Tuesday (Sept. 12), Beaumont details how holes related to a flaw that had just been disclosed in Apache Struts, a web-application development platform, were found in March on an Experian website serving consumers in India. The widely used AnnualCreditReport.com website, set up by the Big Three credit-reporting agencies to provide free credit reports, was also vulnerable, Beaumont says.
Yesterday (Sept. 13), Equifax admitted that the devastating data breach it disclosed last week was made possible, at least in part, by unpatched Apache Struts implementations on its websites.
Equifax's big mistake was not immediately patching its Apache Struts builds. A patch for the flaw was provided by Apache in March, but Equifax has said the attack on its systems did not begin until late May.
"The Struts [flaw] is common both across all the U.S. credit agencies and other Fortune 500 companies," Beaumont wrote in a Facebook posting today (Sept. 14). "For whatever reason, there has been a mass inability to apply this particular patch — right now, vulnerable systems are still online."
The vulnerability in question, CVE-2017-5638, was disclosed by the Apache Software Foundation on March 6, and a patch was immediately made available. Nevertheless, attacks quickly mounted on websites using Apache Struts. (The vulnerability is different from a separate Apache Struts flaw, CVE-2017-9805, that was disclosed and patched on Sept. 9 and was initially suspected of enabling the Equifax breach.)
Patching Apache Struts is not a simple process. Every web app built using the framework needs to be rebuilt using the updated version of the software. But in the case of the March vulnerability, the flaw let visitors to the affected websites seize control of the back-end servers feeding data to the web apps.
Beaumont told Tom’s Guide that he didn't find the exposed flaws on the Experian and AnnualCreditReport.com sites himself. Rather, he found reports of them on XSS.cx, a bare-bones website detailing successful cross-site scripting (XSS) attacks. The reports included screenshots of the contents of Experian and AnnualCreditReport.com servers containing customer data. The Experian screenshots were dated March 12.
The main Experian website currently highlights a helpful link entitled: "Concerned about the Equifax data breach? Find out how Experian can help."
Equifax estimated that its breach impacted 143 million U.S. residents and an unspecified number of Canadians and Britons. Like Equifax and TransUnion, the third major credit-reporting agency, Experian, which is based in Ireland, collects and sells financial data about hundreds of millions of consumers worldwide.
It's likely that the March vulnerability on the Experian server has been patched. The real question is how long the process took and how much of an opportunity it offered to data thieves who were prowling the web looking for Apache Struts vulnerabilities.
The affected Experian website was tailored for Indian customers, but it's possible that someone who got into that server could have pivoted through Experian's global network. That depends on the strength of internal network-security policies. In the case of the Equifax breach, impacted consumers live in at least three different countries on both sides of the Atlantic, and the particular Equifax website that was breached has not been identified.
Beaumont said Experian had not responded to his queries.
Tom's Guide has reached out to Experian for comment, and we will update this story when we receive a response.
UPDATE: An Experian representative provided us with this statement:
"Experian uses a multi-layer approach to security. First, we use Apache Struts (on a somewhat limited basis) in various web applications. We continuously review all our systems, including applications utilizing Apache Struts, and patch or remediate any vulnerabilities as necessary, including the vulnerability referenced by Equifax, CVE-2017-5638.
We applied the patch to this vulnerability in our system within days of the March discovery. As a result, we were not exposed to exploits of this vulnerability.
In addition, Experian has invested in web application firewalls (WAFS) to provide another line of defense so that intrusions can be stopped at the firewall — all WAFS receive automatic updates as soon as a vulnerability is discovered.
Finally, a key component of our security is continuous, robust monitoring of all systems, including, for example, monitoring of traffic and processing volumes, in order to detect any anomalies and trigger alerts, which require immediate action. We’re committed to operating our business in a safe and secure environment and we invest in the tools, processes and talent to safeguard our systems and our data."