Major firms are failing to learn from Equifax breach Watch Now

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry.

Hackers stole 145 million records by exploiting a vulnerability in a widely used open-source web server software that the credit rating giant failed to patch months earlier. Names, addresses, social security numbers, and more were swiped -- leaving Americans at risk of credit fraud and identity theft.

But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software.

Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website.

The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches.

Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software.

The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software.

Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.

But even after patches were released and the flaw was widely publicized in the wake of the Equifax hack, Sonatype's data shows only one-in-five companies are no longer using vulnerable versions of the software.

Although newer versions of Apache Struts are periodically released -- six times since the patch that could have prevented the Equifax attack -- the data showed that 23 of the Fortune 100 Global firms downloaded vulnerable versions of Struts thousands of times in the past year.

Fortune was first to report the data.

The Apache Software Foundation, which maintains Struts, allows users to download legacy versions of the software, even though they contain known security vulnerabilities.

"Developers will have a number of reasons for downloading older versions of Apache Struts, to reproduce running environments and diagnose regressions," said Mark Cox, a member of Apache Software Foundation's Security Team, told ZDNet in an email. "For production use the latest versions should be used to ensure known vulnerabilities are addressed."

He added that the foundation registers flaws with the Mitre CVE list to help users and developers make informed choices about the versions they deploy.

The data reveals what companies learned -- and how companies acted (and didn't) -- after the Equifax attack. It became the largest breach of American data last year, and sparked multiple state, federal and some international investigations. The attackers are still not known.

The credit rating giant first blamed the Struts software for the bug, but it later transpired that just one person was responsible for patching the servers. The company was skewered by the security community and lawmakers for delaying the disclosure of the breach for months.

The credit firm later revealed that in some cases more data, including additional driver's license data and some tax identification numbers, was stolen.

Equifax's then-chief executive Richard Smith retired from the company after the breach. A former executive was later charged with insider trading.