Are You Repeating Equifax’s Big Mistake
In early fall, one of the country’s “Big Three” credit bureaus, Equifax, revealed they suffered a massive security breach in May 2017. Equifax announced that the unauthorized access may have jeopardized 143 million Americans, letting Social Security numbers, birthdates, addresses, and even driver’s license numbers fall into the hands of hackers. The situation only became worse when Visa and MasterCard sent confidential letters to financial institutions across the United States, warning that over 200,000 credit cards were stolen in the Equifax breach.
Equifax’s handling of the breach was, to quote security expert Brian Krebs, a “dumpster fire.” The company initially offered a full year of credit monitoring and directed consumers to a website where Americans could determine if they were affected by the breach. Unfortunately, the website, equifaxsecurity2017.com, was largely unusable. Most people were unable to access the site, and those who could often received different answers from the mobile and desktop websites. What’s more disturbing, Bloomberg reported three top Equifax executives sold company stock worth millions of dollars in the time between Equifax discovering the breach and finally notifying the public.
How Did This Happen?
In September, Equifax confirmed the unauthorized access was caused by a weakness in the opensource software package, Apache Struts. The flaw in the Apache software was discovered on March 7, shortly after the software was released and in use by countless websites, including Equifax. By March 8, Apache released updated software to address the vulnerability. Despite the patch being publicly available, it would take Equifax four months to update their Apache software. This update only took place after Equifax discovered the breach in their system.
Failing to update software seems like a rookie mistake, but this is the second time in a year we’ve seen fallout due to this kind of oversight. In May, the WannaCry ransomware attack targeted 240,000 computers around the world that were running on an older version of Windows XP. Now,
Equifax’s failure to keep their software updated may lead to millions of Americans having their identity stolen. Businesses of all sizes need to stop overlooking the importance of updated software and security, or they will keep paying the price.