The fix was available for months before the breach.
Good website security is tough, but the consequences of bad website security can be far tougher. That appears to be one of the big lessons coming out the debacle surrounding Equifax’s mega-breach, which has “humbled” the credit-reporting giant.
On Wednesday, Equifax gave an update on its investigations of the breach, explaining that it had identified the culprit—a vulnerability on part of its U.S. website, specifically a flaw in the open-source Apache Struts framework it used to build its web applications.
This particular vulnerability, which carries the code “CVE-2017-5638,” was fixed back in early March, with patches becoming available then to everyone who uses Struts. Equifax said the breach occurred in the middle of May.
That means Equifax’s IT department had the means to fix the problem for a couple of months, but did not. The rest is history.
To be fair, as Ars Technica has pointed out, this was not an easy flaw to fix. It meant rebuilding all the web apps that people had already built using Struts, except this time using the updated version.
So at this point, it remains possible that Equifax’s development team might have been in the process of doing this when the breach hit.
But even if that were the case, they would have been too slow. It only took a few days after the bug was made public on March 6 for hackers to start attacking websites that relied on the framework. More than two months later, they scored their biggest hit.
Now, with more than 143 million people having lost their personal details, Equifax is facing questions from legislators and the public. So far, the answers aren’t proving comfortable.