Equifax said Wednesday a months-old but apparently unpatched web server vulnerability allowed thethat for roughly half the U.S. population.
Equifax said it identified Apache Struts CVE-2017-5638, a flaw that was first identified on March 6, as the hack's gateway. The company located the problem with the help of an unidentified cybersecurity firm. Patches for the vulnerability were made available less than a week later.
It wasn't immediately clear why the flaw still existed on Equifax's servers in mid-May when the massive, months-long hack began. Equifax representatives didn't respond to a request for comment.
The revelation of an unpatched vulnerability raises further questions about the hack, which the credit-reporting firm revealed less than a week ago. Hackers made off with a treasure trove of financial data from as many as 143 million people in the U.S., including names, Social Security numbers, birth dates and addresses of customers. Equifax learned about the breach on July 29 but didn't reveal it for more than a month.
The breach, which was particularly potent because one company held such a large amount of sensitive information, is among the largest in U.S. history and the biggest known leak of 2017. Yahoo lost data on roughly a record 1 billion accounts in 2013, the web portal said last year.
The company has been under intense scrutiny since the hack was revealed on Sept. 7. A pair of influential U.S. senators have sent a letter to Equifax CEO Rick Smith demanding answers to detailed questions about the massive hack, including details such as the timeline for the security breach and when the company became aware of it.
Sen. Orrin Hatch, chairman of the Senate Finance Committee, also asked for information about when authorities and board members were informed of the hack, includingin the days after the hack was discovered but before it was made public.
This article originally appeared on CNET.