Last Thursday, credit-monitoring firm Equifax announced that hackers had breached its computer systems and compromised the data of as many as 143 million Americans. Thursday, the company confirmed that the perpetrators of the attack did, as rumored, exploit a weakness in Apache STRUTS.

Equifax identified the exploited vulnerability as Apache Struts CVE-2017-5638.

In March, industry experts pinpointed the CVE-2017-5368 vulnerability. That same month, Apache released a patch to correct it, the New York Times notes. Apache also published instructions describing how to implement the patch.

Three days after the Apache STRUTS weakness was discovered, reports surfaced indicating that hackers had begun taking advantage of it. At that point, it was clear that the Apache vulnerability presented a considerable security threat.

Therefore, many are scratching their heads as to why Equifax neglected to install the patch before hackers accessed the company’s systems in mid-May. Ars Technica notes that implementing the update would have been labor-intensive because after downloading the patch, one would need to rebuild all applications built with older, vulnerable versions of the software.

Still, Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm, points out, it is Equifax’s responsibility to take the measures necessary to protect its customers’ data.

“This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly,” says per WIRED. “The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred.”

But, Avivah Litan, a security analyst with the research firm Gartner, told the Times a high-profile company like Equifax needs a multi-faceted security system so that if one aspect fails, others provide reinforcement.

“You have to have layered security controls,” she said. “You have to assume that your prevention methods are going to fail.”

Apache STRUTS is an open-source web development framework used to create Java applications that run Web servers, Ars Technica explains. The software is free, and about 65 percent of Fortune 100 companies, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime, use it, per the New York Post. Banks and government agencies—including the IRS—also use the software.

Generally speaking, though, open-source software is particularly vulnerable to hacks.

Developers use Apache STRUTS to develop applications for front-end as well as back-end servers. Front-end servers contain code that translates the website’s content into something the user can see, while back-end ones contain the building blocks of a website and are only accessible to site administrators.

Equifax has not said whether the hackers exploited the company’s back-end or its front-end servers. Accessing the back-end would have required access to the company’s private network, the Times notes.

Several hacking experts have already noted the sophistication of the attack—the sheer amount of data stolen is sufficient to indicate the intricacy of the operation.

Investigators have yet to identify the perpetrators of the attack. A group calling itself the PastHole Hacking Team has claimed responsibility and threatened to release the seized data Friday unless a 600-bitcoin ($2.5-million) ransom is paid.

Several people have concluded that PastHole’s claiming responsibility was a hoax. The leading theory among investigators, the Times says, holds that a nation-state, or a group of hackers sponsored by a nation-state, carried out the attack. A government holding animosity toward the U.S. could cull the stolen data in search of information that could be used for espionage or blackmail.

Investigators note that the amount of data stolen casts further doubt on the notion that a small, financially motivated group of hackers perpetrated the attack.

Such a group would likely sell the information on the Dark Web. While there is a market amongst cyber-criminals for sensitive data, particularly permanent information, like birth dates and social security numbers one can use to access a victim’s bank account, medical records, etc., the market likely would not support such a massive amount of data.

“Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That’s nearly half the population of the United States,” said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response, per the Times. “Are there standard cybercriminals out there with the purchasing power for that type of data?”

Equifax said in a statement Wednesday: “We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Featured image via Pexels