Equifax Inc. specified which software vulnerability hackers exploited to steal data on 143 million USA consumers, pointing to a flaw that computer security experts had flagged publicly early this year.
The company's stock dropped another 8% in early trading Thursday following the FTC statement.
The vulnerability allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, and was patched in March 2017.
The U.S. government is investigating the Equifax breach.
The fallout from the Equifax breach is widening.
The patch would have been time consuming as it involved rebuilding hundreds of apps using the new updated software. The two-month gap between when the patch was issued and when the attackers breached Equifax's network was a particularly risky time, as hackers began immediately exploiting the flaw on websites that didn't apply the fix, according to technology website Ars Technica.
The credit monitoring company's call centre staff said that Canadians who have Equifax accounts in the USA could be at risk of having their data compromised, such as those who have lived, worked or applied for credit south of the border.
The majority of America's adult population was affected by the credit bureau's breach. This includes social security numbers, birth dates, and addresses. Any number pressed on the keypad can lead to more robocalls. Equifax CEO Richard Smith is schedued to testify before a House of Representatives panel on October 3rd.
'I apologize to consumers and our business customers for the concern and frustration this causes.
"If a company has a data breach, like a Home Depot or whatever, they can sell hammers, nails, wood, whatever and generate revenue", Jeff Dodge, senior vice president of investor relations at Equifax, said at an investor conference in November. That's, uh, not a good look for Equifax's data security team.
The company is the latest to announce a major breach.
Equifax said it would work with American, British and Canadian regulators to determine appropriate next steps for customers affected in those countries, but added that it 'found no evidence that personal information of consumers in any other country has been impacted'. Yahoo past year disclosed two separate cyber attacks which affected as many as one billion accounts.
More recently, Equifax's cybersecurity has come under fire.