Equifax had patch 2 months before hack and didn’t install it, security group says

Show Caption Hide Caption Worried about Equifax? Freeze your credit! If you're concerned your personal information might have been exposed by the Equifax breach, you can take steps to freeze your credit.

SAN FRANCISCO — Hackers took advantage of an Equifax security vulnerability two months after an industry group discovered the coding flaw and shared a fix for it, raising questions about why Equifax didn't update its software successfully when the danger became known.

A week after Equifax revealed one of the largest breaches of consumers' private financial data in history — 143 million consumers and access to the credit-card data of 209,000 — the industry group that manages the open source software in which the hack occurred blamed Equifax.

"The Equifax data compromise was due to (Equifax's) failure to install the security updates provided in a timely manner," The Apache Foundation, which oversees the widely-used open source software, said in a statement Thursday.

Equifax told USA TODAY late Wednesday the criminals who gained access to its customer data exploited a website application vulnerability known as Apache Struts CVE-2017-5638.

The vulnerability was patched on March 7, the same day it was announced, The Apache Foundation said. Cybersecurity professionals who lend their free services to the project of open-source software — code that's shared by major corporations and that's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group, making the risk and fix known to any company using the software. Modifications were made on March 10, according to the National Vulnerability Database.

But two months later, hackers took advantage of the vulnerability to enter the credit reporting agency's systems: Equifax said the unauthorized access began in mid-May.

Equifax did not respond to a question Wednesday about whether the patches were applied, and if not, why not. "We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement," it said.

It should have have acted faster to successfully deal with the problem, other cybersecurity professionals said.

"They should have patched it as soon as possible, not to exceed a week. A typical bank would have patched this critical vulnerability within a few days,” said Pravin Kothari, CEO of CipherCloud, a cloud security company.

Federal regulators are now investigating whether Equifax is at fault. The Federal Trade Commission and the Consumer Financial Protection Bureau have said they've opened probes into the hack.

So far dozens of state attorneys general are investigating the breach, and on Tuesday Massachusetts Attorney General Maura Healey said she plans to sue the company for violating state consumer protection laws. More than 23 class-action lawsuits against the company have also been proposed.

Proof that Equifax failed to protect customers, particularly when it had the tools and information to do so, is likely to further damage Equifax's financial outlook. Shares fell 2.5% Thursday after news of the FTC probe and are down 33% since it revealed the link.

More: How did the Equifax breach happen? Here are some answers and some questions.

More: Equifax data breach could create lifelong identity theft threat

More: Equifax CEO: ‘We will make changes’

Information potentially stolen by the hackers, including Social Security numbers and dates of birth and names, could put people at risk of identity theft for the rest of their lives, credit experts warn.

Equifax CEO Richard F. Smith apologized Tuesday in a USA TODAY op-ed and said the company initially "thought the intrusion was limited" after discovering it on July 29. The company has indicated that it had not yet had determined the full impact of the breach.

The researchers who found the vulnerability had prepared two plug-ins that could be used as a drop-in solution, which they posted online. A company using the software needed only to upgrade to a more recent version of the Apache Struts program, a framework for Web servers that help companies, including many Fortune 500 corporations, take in and serve up data.

The process of patching the flaw isn’t as simple as just downloading a new version of Java. It requires searching the company’s entire portfolio of applications to look for known and newly reported vulnerabilities, then updating to the latest version of those applications. It is then often necessary to rewrite the applications so they match the other software the company is using. Then everything must be retested and redeployed.

To some in the industry, it’s not that Equifax had bad security practices, but that such poor security hygiene is all too common.



"A majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months," said Ilia Kolochenko, CEO of High-Tech Bridge, a Swiss Web security company.

Patching can take time, even for large corporations with dedicated security staff, which Equifax presumably had, noted Jeff Williams, co-founder of Contrast Security. Williams identified a different Struts vulnerability earlier this year.

Still, not doing so is “absolutely unreasonable,” he said.

Follow USA TODAY reporter Nathan Bomey on Twitter @NathanBomey and Elizabeth Weise @eweise.