Here’s an infamous incident that occurred due to unpatched software -
In 2017, Equifax – a US-based credit reporting agency, suffered one of the worst data breaches in history. Approximately, this data breach affected 143 million people as their details like social security numbers, driver's licenses, names, birth dates, addresses were leaked. About 40% of the US population was affected due to this data breach. For about 200,000 people, it was even worse as their credit card details were also stolen.
Multiple factors led to this breach, but it all started with a vulnerability that could have been fixed. Equifax’s consumer-compliant web portal had a vulnerability (Apache Struts) – which attackers were aware of and took full advantage of. They entered systems through this loophole. The attackers were able to move from one system to another freely as the systems weren’t segmented. Further, the attackers were able to find usernames and passwords in plain text. This enabled them to get access to even more systems. The data was exfiltrated for months undetected because the security certificates for Equifax’s internal tool had expired.
Before this cyber incident took place, there was a patch released to fix the Apache Struts vulnerability (which was widely known in the market during that time). To its bad luck, Equifax missed the patch update and the vulnerability remained unfixed. Regrettably, none of their scans could detect this vulnerability.
This incident attracted a lot of bad press, lawsuits, and reduced financial ratings for Equifax. The company spent about $1.4 billion to upgrade its technology and to improve security. It also spent $1.38 billion in settlements and resolving consumer claims.3
This is not a one-off incident due to unpatched errors, misconfigurations, or insecure access. There are many examples like JP Morgan Chase, Uber, US Voter Registry, Yahoo, Target, Home Depot, and so many more. About 70% of organizations have faced a cyber-attack through an unknown or unmanaged asset.4 Yet only 9% of the organizations have tested 100% of their attack surface.
This highlights the need for attack surface reduction by getting rid of vulnerabilities as companies are adding new devices and technologies by day. All entry points must be secured so that there’s no risk of unauthorized access, infection, data breach, or any cyber incident.