Equifax's world-beating breach of 143 million Americans' sensitive personal and financial information was the result of the company's failure to patch a two-month-old bug in Apache Struts, despite multiple reports of the bug being exploited in the wild.
A patch for the vulnerability ("Apache Struts CVE-2017-5638") was issued on March 6. Equifax's website was breached by exploiting the bug in "mid-May," more than two months after the patch was issued. In the interim, there were widespread reports of "mass attacks" by hackers exploiting CVE-2017-5638. Despite these reports, Equifax did not patch their infrastructure, leaving it — and 143 million Americans — vulnerable to the breach that followed.
This isn't the only gross negligence in recent Equifax history, either. In Argentina, researchers discovered that a system holding similarly sensitive data about people in Argentina and other South American countries was configured to allow root access with the username and password combo of "admin/admin."
Equifax reported earnings of $832.2 million for Q1 2017, up 17% from Q1 2016; for Q2 2016, earnings were up 7% from 2016. The company made those earnings by warehousing sensitive data for hundreds of millions of people, largely without their consent, and by manifestly underinvesting in security and IT spending.
Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.
As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don't break key functions on the site.
Failure to patch two-month-old bug led to massive Equifax breach
[Dan Goodin/Ars Technica]
Ayuda! (Help!) Equifax Has My Data! [Brian Krebs/Krebs on Security]