Equifax Inc. dropped in early trading after specifying which software vulnerability hackers exploited to steal data on 143 million U.S. consumers, pointing to a flaw that computer security experts had flagged publicly early this year.
“The vulnerability was Apache Struts CVE-2017-5638,” the company said in a frequently-asked-questions section of a website it set up to help people affected.
The computer security community has been abuzz for days, trying to pinpoint how hackers broke in and how Equifax could’ve headed off the attack. The Apache Software Foundation, which oversees the open-source software, had issued a patch in March for the flaw Equifax blamed.
Equifax slipped 1.5 percent to $97.55 at 8:39 a.m. in New York. The stock has dropped 31 percent since the company announced last week that hackers accessed sensitive data including Social Security numbers. Shares of Experian Plc, which trade in London, dropped as much as 6.4 percent on Thursday.
The vulnerability was a critical weakness for many large websites that were built using the software. While many companies don’t apply software patches immediately, out of concern of breaking existing code, a delay of several months to remove a high-priority vulnerability is generally considered a dangerous security practice. Atlanta-based Equifax said it discovered the breach on July 29 and that it had been occurring since mid-May. The company hasn’t specified when it sought to patch the flaw.
Rene Gielen, vice president at the Apache Software Foundation, said in an email Thursday that the group doesn’t have reliable information on how long it takes companies to apply patches for vulnerabilities. While firms usually act within hours or days after an announcement, some companies don’t patch for years, he said.
In announcing the incident on Sept. 7, the company initially blamed a “website application” that it didn’t identify. After reports pointed to an issue with Apache Struts, a spokeswoman for the foundation told Reuters that Equifax apparently hadn’t fixed flaws discovered earlier in the year.
Equifax’s latest disclosure may help put such speculation to rest. Still, questions will probably linger in the computer security community over why such broad, sensitive information was available to attackers who essentially entered through the open internet.
© Copyright 2024 Bloomberg News. All rights reserved.