Security experts identified a vulnerability in Equifax’s systems more than two months before the data breach.
Hackers took advantage of an Equifax security vulnerability two months after an industry group discovered the coding flaw and shared a fix for it, raising questions about why Equifax didn't update its software successfully when the danger became known.
Equifax blames Apache Foundation.
Equifax told USA TODAY late Wednesday the criminals who gained access to its customer data exploited a website application vulnerability known as Apache Struts CVE-2017-5638.
But…
The vulnerability was patched on March 7, the same day it was announced, The Apache Foundation said. Cybersecurity professionals who lend their free services to the project of open-source software — code that's shared by major corporations and that's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group, making the risk and fix known to any company using the software. Modifications were made on March 10, according to the National Vulnerability Database.
The stock market is punishing Equifax. Shares are down 33% since Equifax revealed the breach. Apparently, the public should worry about lots of other companies. Vulnerability is the norm, not the exception.
To some in the industry, it’s not that Equifax had bad security practices, but that such poor security hygiene is all too common.
"A majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months," said Ilia Kolochenko, CEO of High-Tech Bridge, a Swiss Web security company.