Equifax Could Have Fixed Bug Exploited by Hackers. It Didn't
Patch for web application vulnerability was released 2 months before data breach
By Michael Harthorne,  Newser Staff
Posted Sep 14, 2017 7:08 PM CDT
It appears Equifax had more than two months to fix the vulnerability exploited by hackers to access the data of 143 million US consumers.   (AP Photo/Mike Stewart, File)

(Newser) – Remember that massive Equifax data breach that exposed the names, security numbers, and more of 143 million US consumers? It now appears Equifax had "clear and simple instructions" on how to avoid it and more than two months to follow them. The credit reporting company announced Thursday that hackers exploited a vulnerability in the Apache Struts web application between May and July, Ars Technica reports. But here's the thing: A patch to fix that particular vulnerability had been available for more than two months by that point. "This vulnerability was disclosed back in March," a researcher at an analytics security firm tells Wired. "There were clear and simple instructions of how to remedy the situation."

Not only was a patch available to Equifax, but there were public reports back in March of hackers exploiting websites that hadn't yet fixed the Apache Struts vulnerability. The New York Times reports it's unclear why Equifax didn't patch the vulnerability. "Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years," Wired quotes the vice president of Apache Struts as saying. Experts say it would have been fairly easy for hackers to exploit the vulnerability with Equifax having not patched it.

My Take on This Story
Show results without voting  |  
4%
5%
21%
1%
23%
46%