Skip to main content
close search
site logo

Equifax Failed to Patch Software Flaw: Ex-CEO

Published Oct. 3, 2017
By Matthew Heller

Former Equifax CEO Richard Smith has confirmed the company failed to patch a software vulnerability that hackers exploited to compromise the personal information of more than 140 million Americans.

In written testimony to be delivered to a congressional committee on Tuesday, Smith said the Department of Homeland Security alerted Equifax and other companies on March 8 to the need to fix the flaw in Apache Struts, a popular open source framework for creating Java apps that Equifax used in its consumer online disputes portal.

A patch for the flaw had been made available the previous day. But according to Smith, Equifax’s information security department was unable to identify any systems that were vulnerable to the software issue.

As a result, he said, “the vulnerability remained in an Equifax web application much longer than it should have. It was this unpatched vulnerability that allowed hackers to access personal identifying information.”

Before Smith’s testimony, Equifax had not accounted for its apparent failure to install the patch. The breach occurred in mid-May but Equifax security personnel did not notice any suspicious activity until July 29. They disabled the web application the following day, ending the hacking.

Security experts have warned that other organizations may be vulnerable to similar breaches because of the technical challenges involved in patching a flaw in applications software. Many users do not maintain a proper inventory of their apps, making it difficult even to identify exactly where the flaw that needs to be patched is.

Smith said he learned about the problem July 31 from the company’s chief information officer and a full response began Aug. 2, including contacting the FBI. Despite numerous internal discussions, Equifax did not publicly announce the breach until Sept. 7.

One reason for the delay, Smith said, was experts had told company executives that notifying the public “would provoke ‘copycat attempts’ and other criminal activity.”

Smith announced last week he was retiring amid amounting criticism of Equifax’s response to the breach. “I am here today to apologize to the American people myself,” he said in his testimony.

Filed Under: Technology

Editors' pick

  • Calendar
    Image attribution tooltip
    Misha Shutkevych via Getty Images
    Image attribution tooltip
    Tracker

    CFO Annual Conferences and Events Tracker

    CFO’s annual conference and events calendar tracker ensures finance executives know about the most essential in-person events.

    By CFO Editorial Team • Updated Dec. 4, 2023

Company Announcements

View all | Post a press release
Jason Cherry Joins Assent as New Chief Financial Officer
From Assent, Inc.
December 07, 2023
Wealth Inequality the Result of Pure Randomness, Tufts University Study Suggests
From Society for Industrial and Applied Mathematics
November 21, 2023

Want to share a company announcement with your peers?

Get started

Read next
  • Calendar
    Image attribution tooltip
    Misha Shutkevych via Getty Images
    Image attribution tooltip
    Tracker

    CFO Annual Conferences and Events Tracker

    CFO’s annual conference and events calendar tracker ensures finance executives know about the most essential in-person events.

    By CFO Editorial Team • Updated Dec. 4, 2023
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2023 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell