Equifax has finally explained what made it possible for hackers to walk away last month with the Social Security numbers of 143 million US consumers. The answer is maybe unsurprising, but completely and totally rage-inducing.
They didn’t bother updating their computers:
We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
— Equifax (equifaxsecurity2017.com)
The patch for the security exploit mentioned above was released on March 6, 2017. That’s two entire months before Equifax claims to have discovered the intrusion. Equifax never applied the fix, which was provided free-of-charge. Wait, what?!
This would be not unlike a security guard notifying the head of bank security that the bank vault was being left unlocked night after night, and the head of security kind of just ignoring it. Surprise: the bank was eventually robbed. Except, at this bank, the transactions are done with your personal data. It’s completely irreplaceable.
Now, maybe you want to give Equifax the benefit of the doubt. “But,” you’re telling me, “they must have just been unaware. Nobody trusted with our financial security would knowingly disregard such a crucial problem.” But, let me assure you they would. And did.
You don’t even need to take my word for it — here’s Vincento Motos, who helped create the fix that Equifax never bothered applying:
We have dedicated hours to reporting to companies, governments, manufacturers, and even individuals to patch and correct the vulnerability as soon as possible.
– Vicente Motos, on Hack Players
So, another day, another absolutely outrageous example of how terrible a company Equifax was and is. This could have all been avoided if only they had taken our well-being seriously. Companies like Equifax rarely do.