Sun Sentinel Palm Beach Edition

Equifax admits security patch delay

Firm says hacking began during May, two months after fix was made available

Equifax has revealed that the hackers who stole data on 143 million U.S. consumers did so by exploiting a vulnerabil­ity that the company could have fixed two months before it was breached.

The disclosure Wednesday suggests that Equifax may have been slow to take basic steps to secure its most sensitive data, and will likely add to calls for stronger oversight of an industry whose informatio­n in the hands of criminals can enable the worst kinds of identity theft and fraud. The company is facing a Federal Trade Commission investigat­ion and calls to testify before Congress.

“The vulnerabil­ity was Apache Struts CVE-2017-5638,” Equifax said in a frequently-asked-questions section of a website it set up to help people affected. The Apache Software Foundation, which oversees the open-source software, had issued a patch for the flaw in March. Equifax said it discovered the breach on July 29 and that it had been occurring since mid-May.

The FTC said on Thursday that it’s investigat­ing Equifax’s breach. The agency typically doesn’t comment on ongoing investigat­ions, but confirmed the inquiry in light of “intense public interest and the potential impact of this matter,” spokesman Peter Kaplan said in an emailed statement.

The Apache software is widely used by companies to help build websites. The two-month gap between when the patch was issued and when the attackers breached Equifax’s network was a particular­ly dangerous time, as hackers began immediatel­y exploiting the flaw on websites that didn’t apply the fix, according to technology website Ars Technica.

“The Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the Apache Software Foundation said Thursday in a statement on its website.

But security profession­als say many companies take weeks or even months to apply software patches, as applicatio­ns need to be tested to ensure the updates don’t break existing code. Apache Struts software is especially time-consuming to update because each applicatio­n needs to be fixed individual­ly. But a delay of several months to remove a high-priority vulnerabil­ity is generally considered a dangerous security practice.

“If this is indeed a capital offense, then I’d say that the majority of organizati­ons are guilty,” said Rick Holland, vice president of strategy at Digital Shadows, a cyber-intelligen­ce firm with offices in London and San Francisco. “It is easy to Monday-morning quarterbac­k and say, ‘Why didn’t you patch?’ The pragmatic reality for many organizati­ons is that patching doesn’t occur as quickly as one would like.”

The bigger question to many cyber-security experts is why some of Equifax’s crown jewels were accessible essentiall­y from the open internet, a question that Equifax has not addressed. The company hasn’t specified when it sought to patch the flaw, or what other mechanisms the attackers used once inside the network to access the consumer data.

The vulnerabil­ity was a critical weakness for many large websites that were built using the software.