Last March, a vulnerability was identified in a piece of opensource software called Apache Struts. This vulnerability was described by the Common Vulnerability Scoring System as posing a high risk to data confidentiality and integrity, and requiring an attack of low complexity and no access privileges to exploit. By March 8, a patch for that vulnerability was available. On the same day, the Department of Homeland Security’s Computer Emergency Readiness Team notified Equifax and other critical organizations of the immediate need to patch the vulnerability.
On Oct. 3, while testifying about the 2017 data breach before the House Energy and Commerce Committee, former Equifax CEO Richard Smith claimed that an internal notification advised Equifax IT personnel to install the patch on the following day, March 9. He stated that “the human error was that the individual who’s responsible for communicating in the organization to apply the patch did not.” Smith also testified that Equifax’s fail-safe, a vulnerability scan, was run on March 15, but that “both the human deployment of the patch and the scanning deployment did not work.”
From the January-February 2018 edition of The NAFCU Journal magazine.