A classic case of failure to patch. Will this mean greater liability for Equifax?
Naked Security explains:
Equifax today posted an announcement on their website with more information about what they believe is the source of the massive breach.
There are two key statements of interest for us, so let’s take a look:
We know that criminals exploited a US website application vulnerability.
This isn’t terribly surprising: Verizon’s DBIR research has repeatedly shown that web applications are the most common attack target by a large margin. The targets are plentiful, their security generally a bit more lax, and research has shown that the vulnerability/patch gap is even greater for web apps than it is for most other application types. But more on that gap in a moment.