Here at Komando.com, we always stress the importance of applying security updates to your gadgets and computers as soon as possible.
Why? Cybercriminals are constantly probing for known flaws that they can exploit to get into your system and possibly steal your information.
It’s a cat and mouse game as hackers poke security holes and software vendors patch them as soon as they’re discovered.
But what if a large corporation that’s handling the data of millions of consumers fails to do this basic computer security necessity?
Failure to install security updates
Hard to believe but that’s actually how hackers broke into Equifax’s systems, causing the largest credit data breach in history.
According to a new statement from Equifax, they now know that the “criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.”
Now what’s troubling about this revelation is that this Apache Struts bug, CVE-2017-5638, was actually already patched on March 7 of this year.
Note: Apache is an open source system for creating Java Web apps. This framework is used by companies, including many Fortune 500 companies, for their web servers.
Equifax said that the breach started in mid-May so this means the company failed to install the critical Apache security update on time as it should have.
How massive was the Equifax data breach? As one of the three major credit reporting agencies, Equifax collects and handles the data of 820 million consumers and 91 million businesses globally.
The attack affected 143 million U.S. consumers, as names, Social Security numbers, birth dates, addresses, and even driver’s license numbers may have been compromised.
So basically Equifax had a two-month period to install the security patch, which would have protected its systems from the eventual hack.
According to the Apache Software Foundation in an official statement, “the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.”
Now that the cause of the breach is getting clearer, the question is this – how come a company that has access to the sensitive data of 820 million consumers and 91 million businesses miss or delay a critical security patch?
What checks can be employed to ensure that this basic mistake doesn’t affect other companies who hold similar data?