Equifax Falls After Signs It Was Slow to Fix Flaw Hackers UsedBy and
Software fix was available in March, 2 months before intrusion
Disclosure likely to add to calls for tighter regulation
Equifax Inc. tumbled in New York trading after saying the hackers that stole data on 143 million U.S. consumers exploited a vulnerability that the company could have fixed two months before it was breached.
The disclosure suggests that Equifax may have been slow to take basic steps to secure its most sensitive data, and will likely add to calls for stronger oversight of an industry whose information in the hands of criminals can enable the worst kinds of identity theft and fraud. The company faces a Federal Trade Commission investigation and calls to testify before Congress.
“The vulnerability was Apache Struts CVE-2017-5638,” Equifax said in a frequently-asked-questions section of a website it set up to help people affected. The Apache Software Foundation, which oversees the open-source software, had issued a patch for the flaw in March. Equifax said it discovered the breach on July 29 and that it had been occurring since mid-May.
Equifax fell 4.7 percent to $94.34 at 10:38 a.m. in New York. The stock has dropped 34 percent since the company announced last week that hackers accessed sensitive data including Social Security numbers. That’s the worst four-day decline in the company’s history. Shares of rival Experian Plc, which trade in London, dropped as much as 6.4 percent on Thursday.
The FTC said it’s investigating Equifax’s breach on Thursday. The agency typically doesn’t comment on ongoing investigations, but confirmed the inquiry in light of “intense public interest and the potential impact of this matter," spokesman Peter Kaplan said in an emailed statement.
The Apache software is widely used by companies to help build websites. The two-month gap between when the patch was issued and when the attackers breached Equifax’s network was a particularly dangerous time, as hackers began immediately exploiting the flaw on websites that didn’t apply the fix, according to technology website Ars Technica.
“The Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the Apache Software Foundation said Thursday in a statement on its website.
But security professionals say many companies take weeks or even months to apply software patches, as applications need to be tested to ensure the updates don’t break existing code. Apache Struts software is especially time-consuming to update because each application needs to be fixed individually. But a delay of several months to remove a high-priority vulnerability is generally considered a dangerous security practice.
"If this is indeed a capital offense, then I’d say that the majority of organizations are guilty," said Rick Holland, vice president of strategy at Digital Shadows, a cyber-intelligence firm with offices in London and San Francisco. "It is easy to Monday-morning quarterback and say, ‘Why didn’t you patch?’ The pragmatic reality for many organizations is that patching doesn’t occur as quickly as one would like."
The bigger question to many cyber-security experts is why some of Equifax’s crown jewels were accessible essentially from the open internet, a question that Equifax has not addressed. The company hasn’t specified when it sought to patch the flaw, or what other mechanisms the attackers used once inside the network to access the consumer data.
The vulnerability was a critical weakness for many large websites that were built using the software. In announcing the incident on Sept. 7, Equifax initially blamed a “website application” that it didn’t identify.
Rene Gielen, vice president at the Apache Software Foundation, said in an email Thursday that the group doesn’t have reliable information on how long it takes companies to apply patches for vulnerabilities. While firms usually act within hours or days after an announcement, some companies don’t patch for years, he said.
“If a company has a data breach, like a Home Depot or whatever, they can sell hammers, nails, wood, whatever and generate revenue,” Jeff Dodge, senior vice president of investor relations at Equifax, said at an investor conference in November. “We have a data breach, we’re not in too good a shape out of that, right? So data security and how we go about ensuring that is something we spend a lot of time and effort on.”