2017-09-14usatoday.com

Hackers took advantage of an Equifax security vulnerability two months after an industry group discovered the coding flaw and shared a fix for it, raising questions about why Equifax didn't update its software successfully when the danger became known. 

...

The vulnerability was patched on March 7, the same day it was announced, The Apache Foundation said. Cybersecurity professionals who lend their free services to the project of open-source software -- code that's shared by major corporations and that's tested and modified by developers working at hundreds of firms -- had shared their discovery with the industry group, making the risk and fix known to any company using the software. Modifications were made on March 10, according to the National Vulnerability Database.

But two months later, hackers took advantage of the vulnerability to enter the credit reporting agency's systems: Equifax said the unauthorized access began in mid-May.

...

"They should have patched it as soon as possible, not to exceed a week. A typical bank would have patched this critical vulnerability within a few days," said Pravin Kothari, CEO of CipherCloud, a cloud security company.

Federal regulators are now investigating whether Equifax is at fault. The Federal Trade Commission and the Consumer Financial Protection Bureau have said they've opened probes into the hack.



Comments: Be the first to add a comment

add a comment | go to forum thread