Skip to main content
close search
site logo
Dive Brief

11K organizations use outdated software linked to Equifax breach

Published May 8, 2018
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Getty / edited by Industry Dive

Dive Brief:

  • About 11,000 companies did not learn Equifax's lesson. Between March 2017 and February 2018, 10,800 companies installed faulty software reports Fortune, based on research by Sonatype. Seven Fortune Global 100 tech companies, eight Fortune Global 100 automakers and 15 Fortune Global 100 financial services organizations are among those with the outdated software.

  • The hackers behind Equifax's breach leveraged vulnerabilities in the open source software package, Apache Struts. Versions of Apache Struts are crippled with flaws, but 8,780 organizations continued to download the software since Equifax's breach disclosure in September. About 3,000 companies have downloaded the same versions of Struts that resulted in Equifax's breach.

  • Patches to the software bug were made available in March 2017. The software's security holes left the "framework that helps power the transactional backends of many business" exposed to a possible remote code execution-style attack, according to Fortune.

Dive Insight:

When it comes to cybersecurity, one company's tragedy is another company's lesson. Patches remain a weak layer of cybersecurity despite it being one of the basics. For a range of reasons, companies have ignored the warning signs displayed by the fall of others. 

Since September 2017, Equifax has spent $242.7 million on breach-related remediation with nearly $30 million of it spent on legal and professional fees, according to the company's Q1 2018 earnings report.

The responsibility of implementing patches does not solely lie on the provider when the provider has issued a patch. Patches on outdated software are issued regularly, ensuring the integrity of software remains resilient enough to withstand nefarious actions.

One reason patches can slip under the radar is due to a system crowded by software without an active directory managing it. If companies invested the time to create a real-time inventory of their software, locating a vulnerable version should be easier.

But even when assurance is available from a software vendor, customers feel frustration when updates are not as transparent as they'd like, according to Oracle CSO Mary Ann Davidson. Making new patches more publicized could be the solution for outdated systems, she said.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Celonis Appoints Benoit Fouilland as Chief Financial Officer to Drive Next Phase of Growth
From Celonis
December 05, 2024
Smart City Expo USA 2025 Speakers Announced
From Smart City Expo USA
December 11, 2024
Welo Data Launches Innovative Model Assessment Suite, Advancing Multilingual Causal Reasoning …
From Welocalize, Inc.
December 17, 2024
Arcus Power Launches Power Market Data Solutions on Snowflake Marketplace
From Arcus Power Corp
December 04, 2024
Editors' picks
Latest in Security
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.