18 September 2017
today claims that Equifax was hacked twice, once in March
(which is very soon after the Struts vulnerability was disclosed) and once
in mid-May. The news article does not say if the same vulnerability
was exploited; it does, however, say that their sources claim that
"the breaches involve the same intruders".
If it was the same exploit, it suggests to me one of the possibilities
two days ago: that the company lacked an comprehensive software
inventory. After all, if you know there's a hole in some package and
you know that you're being targeted by attackers who know of it and have
used it against you, you have very strong incentive to fix all instances
immediately. That Equifax did not do so would seem to indicate that
they were unaware that they were still vulnerable. In fact, the real
question might be why it took the attackers so long to return.
Maybe they couldn't believe that that door would still be open…
On another note, several people have sent me notes pointing out that Susan Mauldin, the former CSO at Equifax, graduated with degrees in music, not computer science. I was aware of that and regard it as quite irrelevant. As I and others have pointed out, gender bias seems to be a more likely explanation for the complaints. And remember that being a CSO is a thankless job.
Update: based on later information, disregard the first two paragrphs of this.