Failure to patch two-month-old bug led to massive Equifax breachOn Friday, Equifax announced that two top executives would be retiring in the aftermath of the company’s massive security breach that affected 143 million Americans.
According to a press release, the company said that its Chief Information Officer, David Webb, and Chief Security Officer, Susan Mauldin, would be leaving the company immediately and were being replaced by internal staff. Mark Rohrwasser, who has lead Equifax’s international IT operations, is the company’s new interim CIO. Russ Ayres, who had been a vice president for IT at Equifax, has been named as the company’s new interim CSO.
The notorious breach was accomplished by exploiting a Web application vulnerability that had been patched in early March 2017.
Equifax website hack exposes data for ~143 million US consumersHowever, the company’s Friday statement also noted for the first time that Equifax did not actually apply the patch to address the Apache Struts vulnerability (CVE-2017-5638) until after the breach was discovered on July 29, 2017.
As Ars reported earlier in the week, Apache Struts is a framework for developing Java-based apps that run both front-end and back-end Web servers. It is relied on heavily by banks, government agencies, large Internet companies, and Fortune 500 companies. Experian, one of the three big credit reporting services, and annualcreditreport.com, which provides free credit reports, both reportedly rely on Apache Struts as well.
“While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing,” the press release continued. “The company will release additional information when available.”
More Info: arstechnica.com