[JonMR]

Do they not get their apps security scanned? In my experience checking all requests go over HTTPS is the first thing that the security teams check. You'd think since Equifax works with banks they'd force them to adhere to some kind of security testing.

[patcheudor]

Exactly! This is so bad. Way worse IMHO than a failed patch or default admin/admin password in terms of showing a lack of competence. Those are ops issues. This showed core issues in their ability to architect and develop secure code. This wasn't a missed patch or config file, it was flat out not knowing how to write an even remotely secure (on the wire) application.