22 Sep 2017
This question was recently answered, as Equifax announced, “We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.” What’s so bad about this disclosure? Well, as it turns out, the patch for this vulnerability had already been made available — months before the breach occurred. This brings with it multiple concerns. For one, Equifax is not going to win back any consumer confidence with the admission that they willingly either chose not to or failed to notice they needed to update their systems when a patch was available. And two, if this could happen to a huge company like Equifax, then who isn’t at risk?
Year After Year Growth2016 was the biggest year on record when it comes to data breaches, but 2017 is shaping up to be even worse. A selection of large data breaches this year includes:
- FAFSA: IRS Data Retrieval Tool – Up to 100,000 taxpayers had information stolen via a compromised data tool used in connection with the Free Application for Federal Student Aid (FAFSA)
- UNC Health Care – Roughly 1,300 women who completed pregnancy home risk screening forms at prenatal appointments between 2014 and 2017 had their personal information sent to incorrect county offices, exposing this data
- Gmail – An estimated 1 million users were affected by a phishing scam in which users received official-looking emails from an attacker impersonating Google
- Verizon – Verizon suffered a data breach that could affect up to 14 million subscribers