What caused the Equifax breach? Failure to patch a bug
- Following Equifax’s announcement of the data breach of 143 million U.S. consumers, Equifax said hackers were able to access its network through an unpatched vulnerability on a website application.
- Attackers were able to exploit a web application vulnerability called Apache Struts CVE-2017-5638, the company said. But a patch for the vulnerability was available on March 6, two months before attackers exploited the vulnerability on Equifax's site, Ars Technica reports.
Human error strikes again. Patchwork security has long been the culprit of cyberattacks. Without system and network updates, companies leave holes in their security as seen in May’s WannaCry attack, which exploited a hole in Windows 7 software. Microsoft had advised Windows 7 users to update to Windows 10, long before the attack could impact its 200,000 victims.
Even the U.S. government is facing scrutiny over its patchwork efforts. In a recent Security Scorecard report, the U.S. government came in 16th place for patching applications out of 18 industries. Despite 75% of the government’s $80 billion IT budget is delegated to system maintenance, patchwork falls short.
For Equifax, the revelation that the root cause of the attack was lacking cybersecurity practices will only fuel the numerous lawsuits it is facing. Consumers will be quick to blame negligence, particularly if the breach could have been prevented by more timely security updates.
The firms lack of transparency and poor communication about the breach is causing widespread citicism. Cybersecurity incidents this severe can cause ripple effects through an organization, potentially even leading to company leadership shakeups.
Follow Naomi Eide on Twitter