Skip to main content
close search
site logo

Equifax Agrees to Fixes to Prevent Another Hack

Published June 28, 2018
By Matthew Heller

Equifax has reached an agreement with eight states to correct data security deficiencies that led to what may be the most costly breach in corporate history.

The consent order addresses, among other things, Equifax’s failure to patch a software vulnerability, which hackers exploited to compromise the personal information of more than 140 million Americans.

“The company must improve standards and controls for supporting the patch management function,” the order said, adding that “An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames.”

Regulators from California, Texas, New York, North Carolina, Massachusetts, Georgia, Alabama and Maine signed the order. During a joint regulatory examination, they “found deficiencies in several facets of how Equifax operated and managed its information technology systems before the breach,” according to a news release.

“The breach never should have happened,” Jan Lynn Owen, commissioner of the California Department of Business Oversight, said. “This order will help ensure it doesn’t happen again.”

Equifax has confirmed that attackers entered its computer system in May 2017 through a vulnerability in Apache Struts web-application software, a widely used enterprise platform, that had a patch available in March 2017.

In congressional testimony, former CEO Richard Smith said an “individual” in Equifax’s technology department failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach.

Security experts have warned that other organizations may be vulnerable to similar breaches because of the technical challenges involved in patching a flaw in applications software. Some users also fail to maintain a proper inventory of their apps.

Under the consent order, Equifax is required to identify and document a comprehensive IT asset inventory and formalize a process that can routinely identify what patches need to be updated and installed.

The company must also increase oversight of its information security program and important vendors to “ensure sufficient controls are developed to safeguard information” and provide written progress reports to the state regulatory agencies.

Filed Under: Technology

Editors' pick

  • Calendar
    Image attribution tooltip
    Misha Shutkevych via Getty Images
    Image attribution tooltip
    Tracker

    CFO Annual Conferences and Events Tracker

    CFO’s annual conference and events calendar tracker ensures finance executives know about the most essential in-person events.

    By CFO Editorial Team • Updated Dec. 4, 2023

Company Announcements

View all | Post a press release
Jason Cherry Joins Assent as New Chief Financial Officer
From Assent, Inc.
December 07, 2023
Wealth Inequality the Result of Pure Randomness, Tufts University Study Suggests
From Society for Industrial and Applied Mathematics
November 21, 2023

Want to share a company announcement with your peers?

Get started

Read next
  • Calendar
    Image attribution tooltip
    Misha Shutkevych via Getty Images
    Image attribution tooltip
    Tracker

    CFO Annual Conferences and Events Tracker

    CFO’s annual conference and events calendar tracker ensures finance executives know about the most essential in-person events.

    By CFO Editorial Team • Updated Dec. 4, 2023
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2023 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell