• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch

2

Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii

3

Today, Emily Blunt is worth $80 million thanks to her Hollywood career—but she actually wanted to be a UN Spanish translator on $80K

1

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch

2

Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii

3

Today, Emily Blunt is worth $80 million thanks to her Hollywood career—but she actually wanted to be a UN Spanish translator on $80K
TechEquifax

Thousands of Companies Are Still Downloading the Vulnerability That Wrecked Equifax

Robert Hackett
By
Robert Hackett
Robert Hackett
Down Arrow Button Icon
Robert Hackett
By
Robert Hackett
Robert Hackett
Down Arrow Button Icon
May 7, 2018, 9:00 AM ET
Add Fortune on Google for similar content.

When the news emerged that Equifax had succumbed to a colossal data breach from mid-May through July of last year, consumers were livid—in part because the ransacking was entirely preventable. Hackers stole 148 million people’s names, Social Security numbers, birthdates, home addresses, and more sensitive information, as of the major credit bureau’s last count in March, and worse yet, it happened two months after software fixes for the vulnerabilities at fault had been made available.

In the year since, thousands of companies have continued to introduce the same security holes into their computer networks. As many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts, the popular, open source software package that attackers targeted to loot Equifax, from March 2017 through February 2018, according to data from Sonatype, a Goldman Sachs-backed cybersecurity startup that tracks code pulled by software developers.

The Apache Software Foundation released patched versions of the software employed by Equifax on March 7, 2017 as well as six other subsequent times throughout the year. But despite the availability of repaired code, businesses continue to download broken copies of Struts—a pervasive, app-building framework that helps power the transactional backends of many businesses—that are potentially susceptible to remote code execution, enabling an attacker to hijack a computer system from afar.

Sonatype did not identify specific companies that had downloaded flawed software. But of that set of 10,801 Struts-embrittled organizations, seven of the businesses were Fortune Global 100 tech companies, eight were Fortune Global 100 automakers, and 15 were Fortune Global 100 financial services or insurance firms, Sonatype researchers told Fortune.

A catastrophic hack didn’t change habits

Troublingly, the fallout from Equifax has not seemed to dissuade corporations from pulling unsafe code into their networks. As many as 8,780 organizations have continued to download known, vulnerable versions of the Struts software since Equifax’s breach disclosure on September 7, 2017, per Sonatype’s data. In other words, only about 1 in 5 businesses learned from Equifax’s debacle and stopped downloading faulty components once the heist of the credit bureau became publicly known.

The extent to which the corporate world has disregarded Equifax’s breach is startling. As many as 3,049 organizations have downloaded the exact same vulnerabilities that hackers exploited to break into Equifax—that is, the same holes contained in Struts versions 2.2.3 to 2.2.3.31 and 2.5 to 2.5.10, referenced in the U.S. government’s national vulnerability database under CVE-2017-5638, for the technically savvy—since the credit bureau’s breach disclosure, Sonatype researchers said.

To use an analogy, this is like completely ignoring an airbag recall and hoping not to get paralyzed in a collision—except worse because, in this scenario, malicious entities are actively trying to total other vehicles, including, potentially, yours.

“Downloading vulnerable versions of Struts is a symptom of a broader hygiene issue,” says Wayne Jackson, Sonatype’s CEO. “The problem is that these organizations don’t care enough to exert control, or don’t have infrastructure in place to know what’s being used.”

Sonatype was able to collect the data it shared with Fortune, Jackson explains, because it maintains a code repository, Maven Central, relied upon by many software developers as they build applications. When requests for code components come in, Sonatype is able to conduct reverse lookups on the requesters’ IP addresses, and thereby determine from which organizations they originated.

The failure to patch outdated software goes extends far beyond Struts. “We’ve probably got 10 million components that have defect associations,” Jackson says, referring to the output of other open source programming projects. “It’s not a problem that’s unique to Struts.” But Struts, he adds, is “a household name that should have gotten enough attention for people to change their behaviors.”

“Just because you create patches doesn’t mean customers will apply them,” says Joshua Corman, chief security officer at PTC, a Boston-based software shop, and cofounder of I Am the Cavalry, a grassroots organization focused on cybersecurity advocacy. “It takes a long time to fix this stuff at scale, but I’m worried they’re not trying rather than just being slow.”

Why companies don’t patch

Updating Struts tends to present a greater challenge for companies than applying other software fixes, such as simple Microsoft Windows updates. Because Struts libraries are often bundled with disparate web applications, fixing the issue requires, among other things: knowing which applications use these components; updating so-called build scripts so they fetch the latest versions of the software; rebuilding the applications; and running quality assurance tests to make sure the mended applications work as intended.

It’s not nearly as straightforward as download and reboot. And yet the problem demands swift remediation.

“You can’t sit around and say, well, it takes six months so we’re doing the best we can,” says Corman, who formerly served as chief technology officer of Sonatype until he left in March 2016. “The mean time to exploit is days.”

To be sure, it is possible that developers—and their automated, code-pulling software development scripts—are downloading faulty versions of Struts, yet not using them in any final product. It’s also possible that programmers are fixing the code themselves before deploying applications. It’s even possible that some organizations are relying on other security tools, like web application firewalls, to filter out possible attacks aimed at the flawed software.

Occam’s Razor suggests, however, that most organizations are simply failing to adhere to the most basic tenets of IT hygiene: Patch—promptly.

“I would expect, especially given the rage around Equifax, people would be finding ways to increase response time to remediate bugs in projects they rely upon,” Corman says.

Given Sonatype’s findings, apparently that’s not the case.

About the Author
Robert Hackett
By Robert Hackett
Instagram iconLinkedIn iconTwitter icon
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

Michael Burry just shorted Caterpillar’s 172% AI rally. One analyst says his bet won’t even matter
Investingstock prices
Michael Burry just shorted Caterpillar’s 172% AI rally. One analyst says his bet won’t even matter
By Marco Quiroz-GutierrezJuly 2, 2026
12 hours ago
U.S. Treasury Secretary Scott Bessent
EconomyDebt
AI’s $2.2 trillion deficit fix is already half fake, economists say
By Tristan BoveJuly 2, 2026
13 hours ago
Anthropic CEO Dario Amodei
AIEye on AI
Anthropic’s Fable model is back. But U.S. AI policy is still a mess
By Jeremy KahnJuly 2, 2026
13 hours ago
ai
North AmericaImmigration
Trump’s $46 billion ‘smart wall’ with Mexico bets on AI and scale
By Rebecca Santana and The Associated PressJuly 2, 2026
14 hours ago
sk
AISouth Korea
AI “grief videos” turn mourning into a $390 service in South Korea
By Hyung-Jin Kim and The Associated PressJuly 2, 2026
15 hours ago
Securitize CEO Carlos Domingo looks to the far right during a conference.
CryptoBlockchain
Securitize is latest crypto company to go public as BlackRock-backed firm sees stock jump 3% on debut
By Camila Grigera NaónJuly 2, 2026
15 hours ago

Most Popular

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch
Big Tech
As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch
By Marco Quiroz-GutierrezJuly 1, 2026
2 days ago
Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii
Success
Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii
By Sasha RogelbergJuly 2, 2026
15 hours ago
Today, Emily Blunt is worth $80 million thanks to her Hollywood career—but she actually wanted to be a UN Spanish translator on $80K
Success
Today, Emily Blunt is worth $80 million thanks to her Hollywood career—but she actually wanted to be a UN Spanish translator on $80K
By Orianna Rosa RoyleJuly 2, 2026
1 day ago
Americans are escaping the U.S. for New Zealand where house prices have hit a new low—but only wealthy Americans with $3 million spare can invest
Success
Americans are escaping the U.S. for New Zealand where house prices have hit a new low—but only wealthy Americans with $3 million spare can invest
By Emma BurleighJuly 2, 2026
17 hours ago
Current price of oil as of July 2, 2026
Personal Finance
Current price of oil as of July 2, 2026
By Joseph HostetlerJuly 2, 2026
18 hours ago
MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
Success
MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
By Sydney LakeJune 25, 2026
8 days ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.