About 11,000 companies did not learn Equifax's lesson. Between March 2017 and February 2018, 10,800 companies installed faulty software reports Fortune, based on research by Sonatype. Seven Fortune Global 100 tech companies, eight Fortune Global 100 automakers and 15 Fortune Global 100 financial services organizations are among those with the outdated software.
The hackers behind Equifax's breach leveraged vulnerabilities in the open source software package, Apache Struts. Versions of Apache Struts are crippled with flaws, but 8,780 organizations continued to download the software since Equifax's breach disclosure in September. About 3,000 companies have downloaded the same versions of Struts that resulted in Equifax's breach.
- Patches to the software bug were made available in March 2017. The software's security holes left the "framework that helps power the transactional backends of many business" exposed to a possible remote code execution-style attack, according to Fortune.
When it comes to cybersecurity, one company's tragedy is another company's lesson. Patches remain a weak layer of cybersecurity despite it being one of the basics. For a range of reasons, companies have ignored the warning signs displayed by the fall of others.
Since September 2017, Equifax has spent $242.7 million on breach-related remediation with nearly $30 million of it spent on legal and professional fees, according to the company's Q1 2018 earnings report.
The responsibility of implementing patches does not solely lie on the provider when the provider has issued a patch. Patches on outdated software are issued regularly, ensuring the integrity of software remains resilient enough to withstand nefarious actions.
One reason patches can slip under the radar is due to a system crowded by software without an active directory managing it. If companies invested the time to create a real-time inventory of their software, locating a vulnerable version should be easier.
But even when assurance is available from a software vendor, customers feel frustration when updates are not as transparent as they'd like, according to Oracle CSO Mary Ann Davidson. Making new patches more publicized could be the solution for outdated systems, she said.