ColdFusion Vulnerability Nets Attackers SSNs and DL Numbers

A ColdFusion vulnerability whose patch was released in January 2013 was used by attackers against the Washington State Administrative Office of the Courts (AOC). The attackers compromised 160,000 Social Security Numbers and about a million drivers' license numbers.

Organizations may need to take a close look at their patch philosophies, since many organizations would have difficulty testing and deploying an application server patch in such a relatively short time window. This compromise highlights the importance of defense in depth, and the importance of protecting data with the enterprise architecture, not just the capabilities of a particular product.