https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony

This summer, a breach at the credit bureau Equifax compromised social-security numbers and other sensitive data on more than 145 million people — and ever since, experts have been puzzling at how the company allowed it to happen. The attackers seem to have broken into the system by exploiting a public vulnerability in Apache’s Struts software, but by the time the compromise occurred, a patch for that vulnerability had been available for months. So why didn’t Equifax deploy the patch?

Speaking to the House Energy and Commerce Committee, former Equifax CEO Richard Smith gave the most detailed answer to that question we’ve heard so far. According to Smith, the team internally discussed the Struts vulnerability when it was first announced by CERT on March 8.