CAPPING A WEEK of incompetence, failures, and general shady behavior in responding to its massive data breach, Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.

As the security community processes the news and scrutinizes Equifax's cybersecurity posture, numerous doubts have surfaced about the organization's competence as a data steward. The company took six weeks to notify the public after finding out about the breach. Even then, the site that Equifax set up in response to address questions and offer free credit monitoring was itself riddled with vulnerabilities. And as security journalist Brian Krebs first reported, a web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Equifax took the platform down on Tuesday. But observers say the ongoing discoveries increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix.

A 'Relatively Easy' Hack

The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform. The Apache Software Foundation said in a statement on Saturday (when rumors swirled that the March Struts bug might be to blame) that, though it was sorry if attackers exploited a bug in its software to breach Equifax, it always recommends that users regularly patch and update their Apache Struts platforms. "Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years," René Gielen, the vice president of Apache Struts, wrote.
In this case, Equifax had ample opportunity to update.