The Equifax breach affected more than 145 million Americans, and according to a recent report, “thousands” of companies are still using the same vulnerable versions of the software targeted in that breach.
More than 10,000 organizations “have downloaded known-to-be-vulnerable versions of Apache Struts, the popular, open source software package that attackers targeted to loot Equifax,” Fortune reports.
Although Apache has released a number of patches for its software, businesses are still downloading the old, vulnerable versions of Struts. These companies were identified by Sonotype, a cybersecurity startup.
While Sonotype isn’t publicly disclosing the names of these companies, researchers told Fortune that “seven of the businesses were Fortune Global 100 tech companies, eight were Fortune Global 100 automakers, and 15 were Fortune Global 100 financial services or insurance firms.”
Slow Fix Or No Fix?
As Fortune explains, downloading an updated patch and installing it may seem easy for the average computer user, but it’s not always so easy for a large company. In the case of Apache Struts, the software can work with a number of different applications in different ways. These applications may also need to be rebuilt to work with the patched software.
So it may not be an easy process. That being said, it’s still a necessary process. Some of these companies may not be making the correct adjustments because they either don’t think it’s worth it — the time or the money — or they’re completely unaware that there’s a problem at all.
Neither possibility is encouraging. Fortune concludes that “the fallout from Equifax has not seemed to dissuade corporations from pulling unsafe code into their networks,” and it’s hard to disagree.
Whether through ignorance or deliberateness, it doesn’t appear companies see these breaches as a major issue. Sadly, it may take more major data breaches — and more affected customers — to get this point across. (And if a company’s bottom line isn’t harmed by a breach, even that may not even be enough.) We continue to hope for substantial federal legislation that would make companies more accountable for what they do with user data.