I don’t care how secure your systems are, if they’re connected to the internet, they can be hacked. That’s just a fact of digital life. What isn’t a fact, however, is negligence (and possibly gross negligence), which is what Equifax displayed in delaying a patch to a known Apache Struts security bug.
Equifax now stares bankruptcy in the face, which just might be an adequate wake up call to push enterprises to take software security seriously.
Bozo security practices invite hacks
Despite Equifax holding mountains of personal data, the company appears to have been somewhat blase about securing it. The most recent example is Equifax’s failure to patch Apache Struts CVE-2017-5638 in March 2017, when it was first reported. Given that Equifax indicated that it got hacked in “mid-May,” the company had upwards of nine weeks to patch the problem. It’s therefore irresponsible for the company to blame Apache Struts, as it initially did, when the fault was its failure to use the software correctly.