The Equifax breach, for instance, was traced back to a vulnerability inside the Apache Struts Website server program. If the organization had installed the security patch for this vulnerability it might have averted the condition, but occasionally the program update by itself is compromised, as was the situation in https://www.researchgate.net/publication/365308473_Development_of_Cyber_Attack_Model_for_Private_Network
