[lolinder]

If the bank failed to apply industry-standard security techniques then yeah, I'd say the bank leaked money. The criminals are obviously the most culpable, but when you're storing more than 100 million SSNs it's not unreasonable to expect your IT department to:

* Update their dependencies within two months of a critical security vulnerability being patched (Mar 7 to May 12).

* In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).

* Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.

[g051051]

> Update their dependencies within two months of a critical security vulnerability being patched (Mar 10 to May 12).

They thought they did, but failed.

> In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).

Impossible to guarantee. A sophisticated enough attack might never be detected, regardless of the competence of the security department.

> Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.

It is impossible to so completely segment a network. If I can get the data via an authorized program, that means there's a path between networks and a hacker can potentially exploit that path.

[lolinder]

> They thought they did, but failed.

Oh, never mind then. Clearly since they thought they updated the dependency it's all good.

> Impossible to guarantee. A sophisticated enough attack ... It is impossible to so completely segment a network ...

While I will acknowledge that this seems to have been Equifax's approach to security (it's impossible to do completely so why bother doing it at all?), this is not widely accepted as a philosophy of security in any industry.

That a bank could still be robbed by a military incursion from a neighboring nation state is not sufficient reason to leave the vault door open overnight. The record abundantly shows [0] that Equifax had security protocols that were weak enough that no sophisticated actor was needed to bypass their protections.

As far as their failure to detect the breach, this is what the House investigation concluded:

> Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.

[0] https://oversight.house.gov/report/committee-releases-report...

[smaudet]

And they should have been held accountable, were they?

If such an entity demonstrates gross negligence yet there are no repercussions, perhaps it is worse than negligence, it is outright larceny - Equifax could be characterizes as a govt supported cartel.

It is not unreasonable then we should actually physically destroy their premises and all related collected information as an active threat to the nation, as well as re-issuing all sensitive information to all affected individuals.

As for what to do instead, credit reporting need not be the important solution, rather one part of an accepted solution, such as multiple scores issued to multiple numbers that are not tied together by a single bureau. Then when credit checks are pulled it is not sufficient to use a single service and the incentive to illegally utilize said information decreases, as the relevance is reduced for any one credit check.

[g051051]

> And they should have been held accountable, were they?

Huge stock hit (since recovered, of course), top executives lost their jobs, fines, had to give away a paid product, extra oversight, cost of fixing security, several rounds of layoffs for the employees, etc.

> It is not unreasonable then we should actually physically destroy their premises and all related collected information as an active threat to the nation

This is why we can't get real, meaningful change. No wonder our "leaders" think so little of us.