alphaspirit - Fotolia
Risk & Repeat: Equifax data breach fallout continues
In this week's Risk & Repeat podcast, SearchSecurity editors continue discussing the Equifax data breach and examine new details about an Apache Struts flaw tied to the attack.
New details have emerged about the massive Equifax data breach, which have raised more questions about the company's infosec posture and triggered a debate over enterprise patching practices.
The credit reporting agency disclosed in an update last week that a critical Apache Struts vulnerability was the culprit in the now-infamous Equifax breach. The vulnerability was made public in March, but Equifax failed to patch a web application that used the framework before attackers gained access to its network in May. The Equifax data breach resulted in approximately 143 million U.S. consumers having personally identifiable information (PII) exposed, including birthdates and Social Security numbers.
Equifax's disclosure has sparked a debate among infosec professionals about the importance -- and difficulties -- of patching enterprise systems. While some experts have argued that Equifax was obligated to patch the flaw immediately, others have argued that patching legacy systems often requires more time and effort. The new details of the Equifax data breach add to growing concerns and inquiries from government officials about why data files with the PII of so many Americans were seemingly unprotected.
What are reasonable expectations for patching legacy systems? Was the Apache Struts vulnerability the root cause of the Equifax data breach? Or is the company's lack of data protection measures more to blame for the incident? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.
Editor's note: A fire alarm occurs at approximately 16:20 on this recording. We apologize for the noise.