The Government Accountability Office released a report detailing last year’s massive Equifax data breach and how hackers were able to infiltrate the company’s systems to gain access to the personal information of at least 145.5 million individuals.

According to the report, the hackers took advantage of a recently announced vulnerability in a web server technology called Apache Struts, which Equifax failed to patch or address and that left their systems vulnerable for weeks.

Compounding the Apache Struts vulnerability was a misconfigured network security device that was supposed to inspect incoming traffic for signs of malicious activity. The misconfiguration went unnoticed for 10 months. According to the report, “during that period, the attacker was able to run commands and remove stolen data over an encrypted connection without detention.”

The GAO report also showed that in addition to the failure to patch Apache Struts and the misconfiguration of the security tool, Equifax identified an insecure database structure that “allowed the attackers to gain access to additional database containing PII [personally identifiable information].”

Lax Data Governance standards were also cited, which let the attackers gain “access to a database that contained unencrypted credentials… such as user names and passwords.”

Read the report here.