Equifax allegedly had access to a security patch that would have prevented the massive data breach the company announced last week. (KIRILL KUDRYAVTSEV/AFP/Getty Images)
© 2024 Blaze Media LLC. All rights reserved.
Equifax could have prevented the data breach two months before it happened
September 14, 2017
Equifax, the credit reporting agency that announced a major data breach last week, had access to the security patch that would have stopped the hackers two months before the breach happened, according to the software company that created the patch.
The timeline
- On March 7, the Apache Software Foundation released a patch for the vulnerability that Equifax has confirmed caused the breach. Both the vulnerability and the patch were widely known within the industry.
- The breach itself began in May, with exposure continuing into July. Equifax discovered the breach on July 29.
- Equifax announced the breach affecting approximately 143 million consumers on Sept. 7.
What the experts are saying
The Apache Software Foundation: "The Equifax data compromise was due to (Equifax's) failure to install the security updates provided in a timely manner."
Pravin Kothari, CEO, CipherCloud: "They should have patched it as soon as possible, not to exceed a week. A typical bank would have patched this critical vulnerability within a few days." (USA Today)
Ilia Kolochenko, CEO, High-Tech Bridge: "A majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months," (USA Today)
How Equifax is handling this
Not particularly well, so far. The company has been overwhelmed by requests by consumers to freeze their credit, which temporarily knocked the system offline Wednesday.
No one with Equifax has yet responded to questions about why the patch wasn't implemented in March.
"We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement," the website reads.
It's also important to remember that three Equifax executives sold millions in shares in the days following the discovery of the breach, months before it became public.
Repercussions
- Equifax is now facing at least 23 class action lawsuits resulting from the breach.
- The Massachusetts Attorney General plans to sue Equifax for violations of consumer protection laws.
- Federal regulators are investigating Equifax's fault in the breach
Want to leave a tip?
We answer to you. Help keep our content free of advertisers and big tech censorship by leaving a tip today.
Want to join the conversation?
Already a subscriber?
more stories
Sign up for the Blaze newsletter
By signing up, you agree to our Privacy Policy and Terms of Use, and agree to receive content that may sometimes include advertisements. You may opt out at any time.
© 2024 Blaze Media LLC. All rights reserved.
Get the stories that matter most delivered directly to your inbox.
By signing up, you agree to our Privacy Policy and Terms of Use, and agree to receive content that may sometimes include advertisements. You may opt out at any time.