Equifax paid a $425M settlement for an avoidable hack

Equifax paid a $425M settlement for an avoidable hack

October 9, 2021·Nick Gracilla
Nick Gracilla

In the fall of 2017, Equifax announced they were hacked. It was the most extensive data breach in history. More than 200 million customer records were stolen.  

Equifax agreed to a settlement of $425 million to help people affected by the theft. The breach was entirely preventable if they had been using an essential security practice called dependency scanning.

All software is composed of components that must be reviewed regularly for vulnerabilities and security updates.

Security reports are called CVEs: Common Vulnerabilities and Exposures. The nonprofit organization, MITRE, sponsored by the US Federal Government, catalogs these reports. Two months before the breach, the maintainers of Apache Structs, a common web framework, released a critical security report, “CVE-2017-5638.” It included instructions on how to patch the flaw.

We don’t know why, but Equifax failed to apply this patch. Two months gave plenty of time for hackers to siphon off gigs of personal data.

The problem is not unique to Equifax: I often consult with businesses that use badly out-of-date software. Here’s how you can avoid this:

Discuss how your team identifies and applies security patches.

Even if your business has no formal system yet, there’s something informal in place. Learn what that is, how your team discovers vulnerabilities, and when they apply updates.

Automate vulnerability scans.

Modern web apps use Software Composition Analysis (SCA) to automate comparing dependencies against CVEs. It should happen as part of the software build and deploy process. It sends alerts whenever there’s a critical vulnerability, so that developers can act quickly.

Value the work of maintaining software security.

Becoming security conscious is an organization-wide responsibility, not just some IT chore. Celebrate updates, as each patch is an attack avoided.

Security is on everyone’s mind. The good news is that taking even a few steps towards tools, resources, and automation can shore up the “easy” attacks that bad actors prefer.

Updated on