Cybersecurity experts weigh in on Equifax's failure to install software fix
Equifax had two months to prevent its massive data breach, but failed to install a software fix flagged by an industry group. Cybersecurity experts say a patch for it was issued in March, but hackers didn't start stealing the sensitive information of up to 143 million Americans until May.
CBS News' Anna Werner spoke with a former Equifax employee, who raised questions about the company's practices said he wasn't surprised Equifax's servers were breached. Many are flabbergasted Equifax failed to install a critical security update.
Chris Mattmann is vice president of the Apache Software Foundation, the organization behind Apache Struts – a popular program used by Equifax for building websites.
He says he expects a company like Equifax to do a better job securing its computer systems.
"It definitely worries me. It's not something that anyone should take lightly," Mattmann said. "Something was missed."
In March, his group discovered a bug that let hackers take control of computers running the software. A fix was issued the same day.
"If you don't apply those security patches and things like that you basically willfully ignore them or whatever, well then you're subject to sort of the outcome of what could happen from that. You're vulnerable," Mattmann said.
It's unclear why Equifax apparently left its computers unprotected for months.
On Thursday, the Federal Trade Commission took the unusual step of confirming it was investigating how hackers accessed sensitive data on roughly 143 million Americans. Maneesha Mithal, associate director of the FTC's privacy and protection division, says the agency has sued about 60 companies that didn't take reasonable steps to protect private information.
"In many cases, we found that companies had simple passwords, two letter passwords. They didn't update their anti-virus software or their firewalls," Mithal said.
Shawn Frix was a lead information analyst at Equifax. He says people in his department shared unmasked social security numbers to company offices overseas.
"This is people's personal information, their socials, their date of births, their addresses, what's being sent to basically a third world country," Frix said.
After nearly eight years with the company, Frix was fired in 2015 in a dispute about his overtime pay. He later sued.
"You're basically a commodity. Your information's a commodity," Frix said.
"CBS This Morning" asked Equifax to respond to Frix's allegations, but it has not yet responded. The company settled Frix's lawsuit for $35,000 without any admission of wrongdoing.