You can use creditkarma.com for free. Try this instead is you need to find out what is going on with your record. I just checked mine and all is ... so far so good I hope!

Should be put out of business if they can't do the job.

Full stop. Apache releases patches for any vulnerabilities quickly. If there's a CVE issued on the vulnerability and a patch available, IT. SHOULD. HAVE. BEEN. PATCHED.

N O

E XC U S E S

God DAMN these assholes.

HERE is where the vulnerability was documented: https://nvd.nist.gov/vuln/detail/CVE-2017-5638#vulnDescriptionTitle

Analysis Description
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

Impact Type:
Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

I wonder what their excuse will be for not patching it? Two months should have been more than enough time and a large organization like Equifax should have the resources to do it.

Just because a patch gets release doesn't mean it gets implemented that day. A lot of companies have weekly or monthly maintenance windows and asking for downtime to reboot a server outside of those can be a dicey proposition for IT departments.

Even before a patch gets scheduled for installation during a maintenance window though, it's almost always going to have to go through a QA process of some sort. Most security patches pass with flying colors, but every once in a while you end up with something that requires you to go back to the vendor and ask for help. I've never worked with Apache, but I know service requests with Oracle can languish for weeks.

All that being said, know that I'm just playing devil's advocate here. Having worked in IT, I'm more inclined to believe that Equifax just dropped the ball.

Vulnerability management is part of my job. I'm pretty sure someone dropped the ball here given that sensitive data was not adequately protected.

And we are NOT EVEN a bank or credit reporting agency.

They had MONTHS to test and apply this thing. At least two months before the breach happened. They house CRITICALLY sensitive personal data of millions - a responsibility which they clearly do not take seriously.

Again: NO excuses.

software projects.

There is web server named Apache that is one of those projects. They were just lazy and or cheap about applying known security fixes.