EQUIFAX HAD PATCH, DIDN’T IN­STALL IT

Fix was avail­able two months be­fore hack­ers stole info from credit-re­port­ing agency

The Signal - - MONEY - El­iz­a­beth Weise and Nathan Bomey @eweise, @NathanBomey USA TO­DAY

Hack­ers took ad­van­tage of an Equifax se­cu­rity vul­ner­a­bil­ity two months af­ter an in­dus­try group dis­cov­ered the cod­ing flaw and shared a fix for it, rais­ing ques­tions about why the credit-re­port­ing agency didn’t up­date its soft­ware suc­cess­fully when the dan­ger be­came known.

A week af­ter Equifax re­vealed one of the largest breaches of con­sumers’ pri­vate fi­nan­cial data in his­tory — 143 mil­lion con­sumers and ac­cess to credit-card data of 209,000 — the in­dus­try group that man­ages the open source soft­ware in which the hack oc­curred blamed Equifax.

“The Equifax data com­pro­mise was due to (Equifax’s) fail­ure to in­stall the se­cu­rity up­dates pro­vided in a timely man­ner,” The Apache Foun­da­tion, which over­sees the widely-used open source soft­ware, said in a state­ment Thurs­day.

Equifax told USA TO­DAY late Wed­nes­day the crim­i­nals who gained ac­cess to its cus­tomer data ex­ploited a web­site ap­pli­ca­tion vul­ner­a­bil­ity known as Apache Struts CVE-2017-5638.

The vul­ner­a­bil­ity was patched on March 7, the same day it was an­nounced, The Apache Foun­da­tion said. Cy­ber­se­cu­rity pro­fes­sion­als who lend their free ser­vices to the project of open­source soft­ware — code that’s shared by ma­jor cor­po­ra­tions and that’s tested and mod­i­fied by de­vel­op­ers work­ing at hundreds of firms — had shared their dis­cov­ery with the in­dus­try group, mak­ing the risk and fix known to any com­pany us­ing the soft­ware. Mod­i­fi­ca­tions were made on March 10, ac­cord­ing to the Na­tional Vul­ner­a­bil­ity Data­base. “The Equifax data com­pro­mise was due to (Equifax’s) fail­ure to in­stall the se­cu­rity up­dates pro­vided in a timely man­ner.”

The Apache Foun­da­tion, which over­sees the open source soft­ware

But two months later, hack­ers took ad­van­tage of the vul­ner­a­bil­ity to en­ter the credit re­port­ing agency’s sys­tems: Equifax said the unau­tho­rized ac­cess be­gan in mid-May.

Equifax did not re­spond to a ques­tion Wed­nes­day about whether the patches were ap­plied, and if not, why not.

It should have have acted faster to suc­cess­fully deal with the prob­lem, other cy­ber­se­cu­rity pro­fes­sion­als said.

“A typ­i­cal bank would have patched this crit­i­cal vul­ner­a­bil­ity within a few days,” said Pravin Kothari, CEO of CipherCloud, a cloud se­cu­rity com­pany.

Fed­eral reg­u­la­tors are in­ves­ti­gat­ing whether Equifax is at fault. The Fed­eral Trade Com­mis­sion and the Con­sumer Fi­nan­cial Pro­tec­tion Bureau have said they’ve opened probes into the hack.

So far dozens of state at­tor­neys gen­eral are in­ves­ti­gat­ing the breach, and on Tues­day Mas­sachusetts At­tor­ney Gen­eral Maura Healey said she plans to sue the com­pany for vi­o­lat­ing state con­sumer pro­tec­tion laws. More than 23 class-ac­tion law­suits against the com­pany have also been pro­posed.

Equifax shares fell 2.5% Thurs­day af­ter news of the FTC probe and are down 33% since it re­vealed the hack.

In­for­ma­tion po­ten­tially stolen, in­clud­ing So­cial Se­cu­rity num­bers and dates of birth and names, could put peo­ple at risk of iden­tity theft for the rest of their lives, credit ex­perts warn.

DARYL BJORAAS, USA TO­DAY

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.