Remember that massive Equifax data breach that exposed the names, security numbers, and more of 143 million US consumers? It now appears Equifax had "clear and simple instructions" on how to avoid it and more than two months to follow them. The credit reporting company announced Thursday that hackers exploited a vulnerability in the Apache Struts web application between May and July, Ars Technica reports. But here's the thing: A patch to fix that particular vulnerability had been available for more than two months by that point. "This vulnerability was disclosed back in March," a researcher at an analytics security firm tells Wired. "There were clear and simple instructions of how to remedy the situation."
Not only was a patch available to Equifax, but there were public reports back in March of hackers exploiting websites that hadn't yet fixed the Apache Struts vulnerability. The New York Times reports it's unclear why Equifax didn't patch the vulnerability. "Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years," Wired quotes the vice president of Apache Struts as saying. Experts say it would have been fairly easy for hackers to exploit the vulnerability with Equifax having not patched it. (Read more Equifax stories.)