Nope, We Can’t Trust Data Firms to Update Against Known Security Flaws
It seems Equifax was hacked using a two-month-old vulnerability that it could have protected itself against.
"We know that criminals exploited a U.S. website application vulnerability,” the company wrote in a statement. “The vulnerability was Apache Struts CVE-2017-5638.” But as Ars Technica points out, that flaw was identified and fixed on March 6, with a patch (albeit a complex and finicky one to implement) offered to users of the Web app software so that they didn’t get hacked. Equifax was hacked in mid-May, a full two months after the vulnerability was announced. In other words, it looks like Equifax fell foul of a known exploit that it hadn't yet updated its systems against.
That would be careless if it was a security flaw on, say, your own home computer. But when failure to update software with a vulnerability like that—which, as Ars Technica has also reported, was used heavily by hackers in March—can result in the loss of personal data from as many as 143 million Americans, it’s negligent. And when a company claims, like Equifax, to be in the business of fraud prevention, identity management, and selling advice on how to manage data breaches? Well, I guess then we just find ourselves in the modern-day couldn’t-care-less corporate approach to cybersecurity.
Equifax’s CEO, Richard Smith, is due to testify before the House of Representatives on October 3. Let’s hope he's given a real hard time.
Keep Reading
Most Popular
Large language models can do jaw-dropping things. But nobody knows exactly why.
And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.
The problem with plug-in hybrids? Their drivers.
Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.
How scientists traced a mysterious covid case back to six toilets
When wastewater surveillance turns into a hunt for a single infected individual, the ethics get tricky.
Google DeepMind’s new generative model makes Super Mario–like games from scratch
Genie learns how to control games by watching hours and hours of video. It could help train next-gen robots too.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.