Equifax Failed to Apply Security Patch Available for Months, Leading to Hack

Credit reporting company says it found hole in system — months after fix was available

It looks like Equifax hates those irritating but necessary security updates as much as anyone else.

The credit reporting behemoth has pinpointed the vulnerability in its system that hackers exploited in taking the personal information of 143 million Americans. That’s good. The fact that the vulnerability, Apache Struts CVE-2017-5638, had a “patch” available for months that Equifax failed to apply? That’s not so good.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” said Equifax, in its progress report revealing the issue. “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Apache Struts is a staple of Fortune 500 companies, used for Java web applications and front-end services, like Equifax’s consumer website. The Apache Struts vulnerability was first spotted in March, with a patch coming out a few days later.

More than a month elapsed between the Apache Struts fix became available and Equifax’s hack. Equifax noted last week its security was breached between mid-May and July, before finally noticing the hack on July 29. That’s, uh, not a good look for Equifax’s data security team. Hackers made off with a hoard of critical data on nearly half of the U.S. population, including social security numbers, addresses and birth dates.

This loot means big business for cybercriminals. Stolen identities sell for between $5 and $30 on the black market, according to Mark Nunnikhoven, vice president of cybersecurity firm Trend Micro. This can lead to major ramifications for the 143 million Americans with compromised information.

“These identity documents can be used in real-world identity theft,” Nunnikhoven told TheWrap. “So if you print up a fake social security card and walk into a bank that the originator of that social security number has never done business with, you can easily open an account in their name and be them for all intents and purposes.”

Equifax’s monumental negligence hasn’t been lost on investors, with shares of the company cratering more than 30 percent in the last week.

And the hits don’t stop there for Equifax. Dozens of lawsuits have already been filed against the company, and nearly 40 states are investigating the hack. The Federal Trade Commission and Congress are looking into it, too, with Equifax CEO Richard Smith set to testify before the House of Representatives on Oct. 3.