After Equifax breach, major firms still rely on same flawed software

At least seven tech giants still use the vulnerable software that hackers exploited to attack Equifax last year.
 By Zack Whittaker for Zero Day | May 7, 2018 -- 16:43 GMT (09:43 PDT) | Topic: Security
 
Last year's massive data breach at Equifax should have been a wake-up call for the entire industry.
Hackers stole 145 million records by exploiting a vulnerability in a widely used open-source web server software that the credit rating giant failed to patch months earlier. Names, addresses, social security numbers, and more were swiped -- leaving Americans at risk of credit fraud and identity theft.
But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software.
Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website.
The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches.
Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software.
The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software.
Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.
 
https://www.zdnet.com/article/after-equifax-breach-companies-rely-on-same-flawed-software/