As Cybersecurity Awareness Month winds down, it’s time to take a look at the final component of this year’s “See Yourself in Cyber” campaign: software updates. This year’s theme emphasizes the role of personal responsibility in protecting yourself online. Responding promptly to software update notifications (or turning on automatic updates) is one of the best protection measures around. However, it’s not one many people take—and sometimes, it’s not one even the largest companies take.
You were likely among the 147 million people affected by the 2017 Equifax data breach. One of the three giant consumer reporting agencies in the United States, Equifax ultimately agreed to a global settlement of up to $425 million with the Federal Trade Commission, the Consumer Financial Protection Bureau, and all U.S. states and territories. Affected consumers (effectively every American with a credit card) could apply for up to $125 in relief.
The Equifax security issue began with failure to apply a patch released March 7, 2017, to address a vulnerability in Apache Struts, an open-source framework for enterprise Java applications. An Equifax employee was directed to apply the patch to affect systems March 9 but just … didn’t. Hackers figured this out and breached Equifax systems via a consumer complaint web portal.
Due to other security and personnel failures, the hack was not discovered until July 29, by which time criminals had acquired millions of names, birth dates, Social Security numbers, and other pieces of personal information. It took a security team 11 days to boot the hackers out of Equifax’s system.
Interestingly, the stolen data hasn’t shown up on the dark web, leading government officials to determine the hack was a state-sponsored act of espionage—and in February 2020, the U.S. Department of Justice charged four members of China’s military with the crime.
Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.
Photo: Song_about_summer / Shutterstock