It didn’t seem possible, but Equifax may have screwed the pooch even harder than previously thought.

Several months before the devastating data breach, which compromised the personal data of more than 145 million Americans, the company was apparently warned about a vulnerability in its public-facing infrastructure that would allow virtually anyone to view the data. It reportedly took no action. The vulnerability was eventually patched, but only after the data was stolen. Equifax then waited an additional 41 days after discovering the problem to inform the public.

Advertisement

This new information was first reported on Thursday by Motherboard, which spoke to the security researcher who discovered the vulnerability and reviewed evidence of their find. The revelation raises new questions about the breadth of the exposure, the site says, and further suggests that more than one hacking group may have acquired access to the data.

The researcher requested anonymity to discuss the matter and Gizmodo has not independently confirmed the findings. After discovering the vulnerable Equifax website, Motherboard reports, the researcher realized that it provided access to the personal data of millions upon millions of Americans—names, dates of birth, social security numbers, and more.

“All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app,” the researcher reportedly said.

The extent of Equifax’s fuckup is already well documented. Adding credence to the researcher’s story, previous analysis of Equifax’s infrastructure revealed a sprawling network of unsecured servers.

Advertisement

What’s more, Equifax’s former CEO Richard Smith—who “retired” in the wake of the breach—admitted to Congress that the company failed to patch a critical Apache Struts vulnerability, which the Department of Homeland Security had warned the company about months before the attack.

Equifax has attempted to pin the blame for the entire mess on a single employee; however, it is clear that the extent of the breach is simply too vast for any one person to be responsible. In fact, the implication that a single employee had been tasked with securing the agency’s wealth of personal data is, in and of itself, an admission of incompetence.

Moreover, the company’s response to the breach has itself been a disaster of almost equal proportions—from launching a website that makes it easier to phish customers to redirecting victims to a malware-laden site. This latest report only adds to the mountain of errors, a further indication that it might be best at this point if Equifax were simply no longer allowed to exist.

Equifax did not respond to a request for comment.

[Motherboard]