How an ordinary threat toppled an extraordinary security program

Sponsored By: Fortinet

As one of three main credit reporting agencies in the United States, Equifax is responsible for storing an enormous amount of highly sensitive personal details about consumers. This information is protected by various security layers and the company has scores of people dedicated to ensuring the systems and processes that protect this data are secure. Despite the layers of protection, in the Spring of 2017, hackers gained access to a significant portion of consumer data – including names, birthdates, street addresses, and Social Security numbers.

145 million consumers had their personal information exposed in the breach.

How did the hackers gain access?

It was quickly discovered that the hackers were able to gain access via a vulnerability in the Apache Struts software. The vulnerability had been recognized by Apache Struts early in 2017 and a patch made available. Unfortunately, company-wide internal messaging from the Equifax security department went unheeded by some and the patch was not installed on some units. Without the patch being made, hackers were able to easily gain access to the targeted information.

Who else was hit?
According to Fortinet’s Q3 2017 Threat Report, the Apache Struts framework vulnerability did not only impact Equifax. A significant number of exploits during the third quarter of the year were because of Apache Struts framework vulnerability. Hackers are constantly on the lookout for ways to infiltrate a company, and once one company is hit, other companies that have failed to follow proper security protocols can quickly and easily be found.

“It appears that the breach occurred because of both human error and technology failures.” Former Equifax CEO Richard Smith

There is a patch for this problem
Vulnerabilities are going to happen with any piece of software, and staying on top of patching critical components is difficult, but it is a must. Once security and IT departments learn of the vulnerability, it is their responsibility to communicate the urgency to the key personnel within the company, but it is also necessary for those who are informed to act immediately. Security issues have now gone beyond the realm of the IT department and are firmly at the desk of each individual within an organization.

This article is one of a six-part series exploring  Fortinet’s Q3 2017 Threat Report. Download the threat report now.


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Sponsored By: Fortinet