People continue to investigate the reasons behind the cybersecurity incident in EQUIFAX. The company has a long track record of their mishaps and they only keep getting headline after headline. However, it seems like the Former CEO of the company has finally decided to bring to light the guilty party of the incident.
Hackers exposed the Social Security numbers, driver licenses and other sensitive info of 145 million Americans earlier this summer by exploiting a vulnerability in Apache’s Struts software. However, according to testimony heard today from former CEO Richard Smith. Not everything is as it seems because the vulnerability had been patched a long time ago.
Smith decided to talk during a livestream for the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee. And he mentioned that the company was aware of the issue ever since it was announced by CERT in March 8.
So, what happened indoors that made EQUIFAX the company responsible of the biggest cyberattack in history? One person didn’t properly do their job. “The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” Smith said.
The individual responsible for this human error was not identified by Smith. Considering the fact that the Chief of Security was a freaking Music Major. I’m not really that surprised by this claim.
According to the written testimony Smith provided. EQUIFAX sent an internal e-mail on march 9 to deploy the Apache Struts update within 48 hours. With no vulnerabilities found by the system or the IT department, the person in charge didn’t mention there was a vulnerability in the system that had to be patched.
The hackers who easily recognized the vulnerability started to take action. By March 13, the company had been attacked and the information was leaked for everyone to see. What a wonderful insight. Especially considering the fact that a team of 225 cybersecurity experts at one of the largest credit reporting agencies didn’t recognize the freaking issue.
So, if you have the feeling these claims are absolutely bogus. You’re not the only one, because I believe that blaming everything in one, nameless person is too convenient to be true.