You can blame Equifax for the data breach that affects 143 million of us. It apparently did not fix a security flaw that it knew about and had received a fix for. “The Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the Apache Software Foundation wrote on its September 14, 2017 blog.
Apache provides open-source software called Apache Struts for Equifax and major financial institutions and government agencies. The website zdnet quotes Fintan Ryan, an analyst at Redmonk, saying that 65 percent of Fortune 500 companies use Apache Struts.
On its blog, Apache says it issued an update alert on March 07, 2017 and recommended that companies, or anyone using Apache Struts, install a security update.
Apparently, Equifax did not do that. Instead, it says it became vulnerable to a hack from mid-May to July 29. Equifax did not make this public until September 7, 2017.
The problem with the software allowed hackers to use file uploads to launch a bug that let them communicate with the servers and steal information including Social Security numbers, drivers license numbers, credit card numbers and other personal financial information.
But in the community of people involved with this type of software and cybersecurity, the word was out and they issued alert warnings. They may not directly blame Equifax, but the facts point in that direction.
In a March 8, 2017 blog, Nick Biasini with the Cisco Talos, a threat intelligence group, wrote, “Talos began investigating for exploitation attempts and found a high number of exploitation events.”
On March 9 another expert, Akamai SIRT, wrote on a blog titled Vulnerability Found In Apache Struts, “If you are currently running an affected version of the software, malicious users could execute code on the system remotely by using a maliciously crafted Content-Type header. Successful exploitation does not require the user to be authenticated. Apache has classified the vulnerability as a “possible remote code execution;” however, the vulnerability is easy to exploit and allows code to be executed using the user context of the account running the Tomcat server. At least two working exploits have been seen in the wild already.”
He also told users,”Upgrading Apache Struts to version 2.3.32 or 2.5.10.1 will fix the current vulnerability.”
So that leaves us with the question about why Equifax didn’t fix the flaw that led to the breach and what happens to us and all of that stolen data now.
So consumer advocates say you can blame Equifax for the giant mess the credit reporting company made for consumers. That’s why its a good idea to put a freeze on your credit report, as the U.S. Public Interest Group warns in a news release.
“We’re recommending that consumers get credit freezes with all three credit bureaus. We’ve called on Equifax to pay for all those freezes, but consumers shouldn’t wait for that. Credit freezes are currently only free in seven states (about to be eight in October).
“We are working to make them free in other places like Illinois and Massachusetts, where state bills have been introduced. But Congress should lead and make credit freezes free for everyone in the country.”