[jstarfish]

> I want to see Equifax's CEO, CTO, CSO and anyone who ever saw a report saying "we need to invest more in security" and ignored it, to pay.

The issue here is likely related to business units that were acquisitions, with the breached product in question having been developed pre-acquisition by a code farm staffed by interns in some developing nation. I spent a few years trying to unfuck some of those messes and moved on.

It's more a problem with their reckless growth over the last decade than anything. (ed) Due diligence is obviously lacking, but I can personally attest that nobody in senior leadership there willfully ignores matters of security once it becomes known.

[TravelTechGuy]

We don't know if this has anything to do with any acquisitions - this is a conjecture, at best.

At any rate - I don't care. I never gave Equifax permission to collect my personal data. I certainly never gave them permission to store it in a way that it can easily be hacked. If you buy a 3rd party company, "unfuck" and harden their software BEFORE you let the data flow in.

Allowing data to slip out is negligent. If you're in the army, or the intelligence community, you get punished for this. It's about time the private sector felt some sort of accountability.

[damnfine]

This so much. The stream of corporations passing the buck into a black hole of irresponsibility needs to end now. If people arent held responsible, they will continue to make these failings without pause. I hope everyone is writing their legislators and congresspeople right now. They listen more than even my disillusioned self thought. The just might have bigger incentives to act otherwise. But if they dont know, they cant even choose to be corrupt or not, they are ignorant by proxy. Communicate to your leaders, and remember their response when you vote.

[jstarfish]

The only real solution here is that we need consumer privacy laws similar to Germany's-- not more scrutiny of those who participate in the PII trade.

There is no reason beneficial to consumers to be collecting intelligence of this nature.

[pfarnsworth]

The best way to punish them is for us all to organize and create a Proposition that bans them from being a credit bureau, etc. If this passes in California, it will destroy them as a company.

[jstarfish]

The problem here is that they've expanded their core business to be so pervasive, they're no longer reporting on just your credit history-- they've also moved into the employment history, salary history, etc. space. So you kill their financial tentacle, they'll still be collecting intelligence for other purposes.

[jstarfish]

Not really conjecture:

> The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Since core business was unaffected (nobody hacked the mainframe), I guarantee you some crappy product they acquired got compromised.

And like it or not, you do give them permission to collect your personal data every time you authorize a creditor, utility or employer to run a credit check. Never sign up for utilities, loans, credit cards or get a job and then you'd have a case for privacy.

[acdha]

It could also be related to how they sell things. Given how commonly they redistribute this data I wouldn't be surprised if it turned out to be something like a customer portal where they can say it wasn't core because the attacker couldn't have altered data, etc.

[ewhanley]

Oh, good, it wasn't their _core_ business. What a bullshit copout - you acquire a company, you own it, warts and all. Who's worse, the crappy company or the company that acquires it and continues to operate it without fixing it?

[sjg007]

You probably did if you have any sort of bank account or loan or job application or rent. It's pervasive in contracts/agreements that they report to partners and credit agencies.

[maxerickson]

I find it difficult to reconcile your second and third paragraphs.

I guess choosing not to prioritize security (vs profit or whatever) when making acquisitions is different than just ignoring it entirely.

[scarmig]

If that were the case, then who approved the acquisition? Who did due diligence on it?

Suddenly letting a bunch of untrusted, poorly audited code run on your infrastructure is itself a massive security breach. And even that doesn't explain how data was extracted for two months with no one noticing.