Equifax had patch 2 months before hack and didn’t install it
Cybersecurity professionals who track down bugs discovered, created a fix for, and told the industry about the vulnerability that allowed attackers into the Equifax network two months before the company was hit by hackers.
“The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner,” The Apache Foundation, which oversees the widely-used open source software, said in a statement Thursday.
Equifax told USA Today late Wednesday that the criminals who potentially gained access to the personal data of up to 143 million Americans had exploited a website application vulnerability known as Apache Struts CVE-2017-5638.
The vulnerability was patched on March 7, the same day it was announced, the foundation said. Modifications were made on March 10, according to the National Vulnerability Database.
Equifax said that the unauthorized access began in mid-May. That’s a period of two months in which the company could have, and should have, say experts, dealt with the problem.
“We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement,” Equifax said. It did not respond to a question Wednesday about whether the patches were applied and if not, why not.
Many in the security industry don’t agree.
“Considering Equifax is one of the largest credit reporting agencies whose sole business relies on both credibility of data and securely handling the sensitive data of millions of consumers, it is fair to say that they should have patched it as soon as possible, not to exceed a week. A typical bank would have patched this critical vulnerability within a few days,” said Pravin Kothari, CEO of CipherCloud, a cloud security company.
The initial report of the security vulnerability says that a company using the software needed only to upgrade to a more recent version of the Apache Struts program. It is a framework for web servers that help companies, including many Fortune 500 corporations, take in and serve up data.
Experts say the information potentially stolen by the hackers, including Social Security numbers, dates of birth and names, could put people at risk of identity theft for the rest of their lives.
Equifax CEO Richard F. Smith apologized Tuesday in a USA Today op-ed and said that the company initially “thought the intrusion was limited” after discovering it on July 29.
Equifax has indicated that it had not yet had determined the full impact of the breach.