Despite the Equifax breach that exposed the personal data of more than 145 million Americans, Fortune is reporting that thousands of companies have the same computer security holes in their networks that places the sensitive data of consumers at risk.
According to the report, which cites data from the cybersecurity startup Sonatype, 10,801 companies – including 57 percent of Fortune Global 100 companies – have downloaded versions of Apache Struts, an open-source software package that is known to be vulnerable to the same holes that enabled Equifax to be hacked. Although The Apache Software Foundation released patches for the software after Equifax was breached, businesses continue to download bad copies of Struts, putting them in a position to potentially get hacked themselves.
Sonatype wouldn't specify which companies are using the bad copy of Struts, but the report noted that seven of the businesses were Fortune Global 100 tech companies, eight were Fortune Global 100 automakers and 15 were Fortune Global 100 financial services and insurance companies. What's more, more than 8,780 companies continued to download the vulnerable version of Struts even after the Equifax hack was disclosed.
Broken down in another way, only around one in five businesses that knew about the Equifax breach stopped downloading the flawed software. In fact, as many as 3,049 organizations downloaded the exact same security vulnerabilities the hackers used to breach Equifax.
“Downloading vulnerable versions of Struts is a symptom of a broader hygiene issue,” said Wayne Jackson, Sonatype’s CEO. “The problem is that these organizations don’t care enough to exert control, or don’t have the infrastructure in place to know what’s being used.”
The executive noted that the companies' failure to patch outdated software isn't unique to Struts, but likely involves millions of copies of software that is not patched. However, he noted that Struts is “a household name that should have gotten enough attention for people to change their behaviors.”