After Equifax Breach, Major Firms Still Rely on Same Flawed Software

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.

Well duh....

[Kenja]

A data breach may cost money later, but changing would cost money now, which is all stock holders care about.

Equifax got away, so why change?

[sinij]

This behavior is very logical. Equifax got away with gross negligence in the area of data security. It follows that expenditures on data security can be minimized. Updates and technical expertise costs money, market-driven approach would be to keep already paid-for systems in place and outsource maintenance of these old systems to the lowest bidder.

Re:Equifax got away, so why change?

[ErichTheRed]

This is exactly correct. There's no money in fixing security problems, insurance will pay any damages, and executives are shielded from any liability anyway. And all they have to do is give consumers a year of free "credit monitoring."

Until we start treating software engineering the way we treat civil engineering, and hold authors of software liable for their creations, nothing will change. Companies are protected anyway, and software guys can just walk down the street into a new job like nothing ever happened.

Re:Equifax got away, so why change?

[swillden]

insurance will pay any damages

If there were significant damages, this would be part of the solution, not part of the problem. Insurance companies are quite good at assessing risk and delivering targeted recommendations which must be followed to get lower premiums. The problem is that there are no real damages for insurance companies to pay, so none of these incentives come into play.

Maybe what we need is statutory damages for privacy breaches, which apply above and beyond any provable actual damages. Say, $100 for each social security number, name, address etc., perhaps on an increasing scale when multiple pieces of information about one person are leaked in such a way that they are connected, since having more data about a person makes identity theft and other malicious use easier. The money should be payable to the person whose information is leaked.

Oh, and evidence that a company tries to hide a breach should result in triple damages and criminal prosecution of the individuals tried to conceal it.

If the Equifax breach had resulted in statutory payouts of, say, $500 per person to each of the 145M people harmed, the resulting $72.5B liability would have hammered Equifax flat, insurance or no. And you can bet that other companies would have gotten serious about data security -- not only that, it would make stored data about individuals a serious liability which companies would try to avoid. You can't be forced to pay out for leakage of data that you never had. Companies' own attorneys and insurance companies would be constantly harping on the need to limit liability by destroying customer/user data.

Why Patch

How many Equifax executives have gone to prison?

Put them in chains, and other executives might notice.

Consultant-built Software

[ErichTheRed]

One problem is that companies continue to run software that was built as a one-off by some consulting company, offshore vendor or similar. They either don't exist anymore, or want millions to even look at the code again.Those packages need these out-of-date frameworks and other software as dependencies, and the company doesn't have the expertise in-house to know whether a patch will break something. In my line of work, the main offender is awful Java thick client applications, and these often require a _specific_ point release of some horribly outdated JRE/JDK. But JEE web apps are even worse in this regard...and despite the hype around app-of-the-month, there are TONS of these systems from the 2000s floating around in big companies.

Consulting companies should be required to at least hand over the source code for software they produce if they're not interested in maintaining it long-term as an actual product. And if a company is relying on some system as a dependency, they shouldn't allow their vendors to walk away without fully understanding what they've left running on their systems.

How many went to jail for Equifax breach?

[140Mandak262Jamuna]

None. Right?

What it lost was money, right? And who lost it? The shareholders.

All bonuses and pay all these executives wee gorging themselves in, was not clawed back. They did not go to jail. They paid the fines and compensation using shareholder's money.

Why would they change?

Why would you expect them to change?