This confirms that CVE-2017-5638, announced and patched in March, was the vector for the attack (which began in May).
[Comment removed by author]
It would be interesting to learn whether the struts application was intended to have access to this scope of information in the leak, or if it was only a vector into which other layers of security were circumvented.
Yet another months-old hole being used to break in.
How come insurance companies haven’t gotten around to enforce basic internet security on all these megacorps?
The megacorps haven’t felt the need to buy insurance against events like this; it’s easier for the insurers to exclude these events from policies.