Equifax, the credit reporting agency that announced a major data breach last week, had access to the security patch that would have stopped the hackers two months before the breach happened, according to the software company that created the patch.

The timeline

  • On March 7, the Apache Software Foundation released a patch for the vulnerability that Equifax has confirmed caused the breach. Both the vulnerability and the patch were widely known within the industry.
  • The breach itself began in May, with exposure continuing into July. Equifax discovered the breach on July 29.
  • Equifax announced the breach affecting approximately 143 million consumers on Sept. 7.

What the experts are saying

The Apache Software Foundation: “The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner.”

Pravin Kothari, CEO, CipherCloud: “They should have patched it as soon as possible, not to exceed a week. A typical bank would have patched this critical vulnerability within a few days.” (USA Today)

Ilia Kolochenko, CEO, High-Tech Bridge: “A majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months,” (USA Today)

How Equifax is handling this

Not particularly well, so far. The company has been overwhelmed by requests by consumers to freeze their credit, which temporarily knocked the system offline Wednesday.

No one with Equifax has yet responded to questions about why the patch wasn’t implemented in March.

“We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement,” the website reads.

It’s also important to remember that three Equifax executives sold millions in shares in the days following the discovery of the breach, months before it became public.