CLOSE

If you’re concerned your personal information might have been exposed by the Equifax breach, you can take steps to freeze your credit.
USA TODAY

SAN FRANCISCO — Cybersecurity professionals who track down bugs discovered, created a fix for, and told the industry about the vulnerability that allowed attackers into the Equifax network two months before the company was hit by hackers.

“The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner,” The Apache Foundation, which oversees the widely-used open source software, said in a statement Thursday.

Equifax told USA TODAY late Wednesday that the criminals who potentially gained access to the personal data of up to 143 million Americans had exploited a website application vulnerability known as Apache Struts CVE-2017-5638. 

The vulnerability was patched on March 7, the same day it was announced, the foundation said. Modifications were made on March 10, according to the National Vulnerability Database.

Equifax said that the unauthorized access began in mid-May. That’s a period of two months in which the company could have, and should have, say experts, dealt with the problem.

“We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement,” Equifax said. It did not respond to a question Wednesday about whether the patches were applied and if not, why not.

It should have acted faster, said other cybersecurity professionals.

“They should have patched it as soon as possible, not to exceed a week. A typical bank would have patched this critical vulnerability within a few days,” said Pravin Kothari, CEO of CipherCloud, a cloud security company.

The initial report of the security vulnerability says that a company using the software…