The instant I saw folks start pandering the absurd theory that China or Russia had financed this attack I knew it was bogus. The problem was a well-known and well published vulnerability in their website that their site(and many other larger websites) used called Apache Struts. The resulting breach did not take any skill to exploit and the fact it took Equifax as long as it did shows the basic incompetence of the Equifax personnel. I do not know if it was their IT that didn’t notice or if it was(like Yahoo) a C-level decision to not bother with security. Either way, the attribution as a state sponsored attack was bollocks before and Bruce Schnier(one of the most respected Crypto analysts on the planet) has testified on it. If you do not wish to believe small folks like me…listen to folks like Bruce Schnier who will know more about this than I will for a while.
If you want to skip directly to Bruce’s testimony click below.