In wake of Equifax breach, government shines light on entire industry

Government agencies have contacted Equifax’s largest competitors to learn more about the potential for cyberattacks on the credit monitory industry as a whole, a senior federal official told CyberScoop.

The recently revealed breach at Equifax — one of three multinational corporations that rely on comparable software to manage consumers’ credit reports and other highly sensitive records — caused upwards of 143 million records to be compromised and drew immediate attention by federal law enforcement.

But other federal agencies, like the Department of Homeland Security, have been focusing on understanding the threat posed to the larger industry, according to the senior federal official, who spoke to CyberScoop on condition of anonymity to discuss an ongoing government investigation.

The official said that because Equifax’s biggest competitors — namely TransUnion and Experian — also rely on software like Apache Struts, a popular web server application, the outreach was necessary in order to learn more about the industry’s overall vulnerability.

CyberScoop first reported that an outdated, unpatched Apache Struts vulnerability allowed for hackers to break into Equifax over the summer — a fact that was later publicly confirmed by Equifax. 

“Because they all sort of use these same programs, we needed to contact them too,” the official told CyberScoop. “It’s necessary.”

Security researcher Kevin Beaumont found that both Experian and TransUnion relied on Apache Struts. It’s not clear, however, if or when Experian or TransUnion updated their existing systems that may have been running older versions of the software. Little is known about how the broader industry has reacted — from a security perspective — to the historic breach of Equifax.

Requests for comment sent to TransUnion and Experian regarding their communications with government officials went unanswered.