Equifax's internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation.

Specific Details of Incident:

On July 29, 2017, Equifax's Security team observed suspicious network traffic associated with its U.S. online dispute portal web application. In response, the Security team investigated and blocked the suspicious traffic that was identified.

The Security team continued to monitor network traffic and observed additional suspicious activity on July 30, 2017. In response, the company took offline the affected web application that day.

The company's internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.

On August 2, 2017, Equifax contacted a leading, independent cybersecurity firm, Mandiant, to assist in conducting a privileged, comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.

Over several weeks, Mandiant analyzed available forensic data to identify unauthorized activity on the network.

The incident potentially impacts personal information relating to 143 million U.S. consumers – primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.

In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.

Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries.

With respect to the company's security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements.

Questions Regarding Apache Struts:

The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.

Based on the company's investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.

The particular vulnerability in Apache Struts was identified and disclosed by U.S. CERT in early March 2017.

Equifax's Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure.

While Equifax fully understands the intense focus on patching efforts, the company's review of the facts is still ongoing. The company will release additional information when available.