"If a bank lost everyone’s money, regulators might try to shut down the bank."<p>Oh really? I thought it depends on how big the bank is. Agencies giving tripe-A to junks were punished so harsrhly...
I think this incident is a very good argument for why NSA and the agencies in other countries should focus on publishing known exploits. This was probably not one that was known, but it shows what could happen if criminals get access.
I mean, Equifax is quite literally in the business of making sure people don't get away with things. It would be unfair to their mission for them to continue as a going concern.
I wonder if Equifax will face any international action, for example here in the UK we have Data Protection laws that can be used to fine companies for such breaches, although it's not entirely clear if British customer data has been affected.<p>Still, Equifax are probably quick to tell everyone if you've missed one payment on your credit card, but took a few months to say they've been hacked? Doesn't seem fair
This is kinda how I feel. <a href="https://equifaxbreach2017.com/" rel="nofollow">https://equifaxbreach2017.com/</a><p>FYI. That is not the real site.
I think it's important to take a step back, take a breath, and look at this rationally.<p>Look at what actually happened. Equifax was using the Spring framework. This is a very safe, popular choice. They were using what everybody else uses.<p>There was a critical vuln in the framework, and they failed to update their box for N months. But we're talking only a few months. N is very small -- maybe four? And yeah, you can argue that four months is an absurdly long time to have a known critical vuln in production. But I guarantee you that <i>everybody reading this</i> is similarly vulnerable. Whatever company you work for, if you do not have regular pentests, you are no better off. And even if you do, it's overwhelmingly likely that you've overlooked some lonely outdated server that's still running on your network because Bob set it up a year ago and forgot about it and oh look now you have a pivot into your whole network.<p>It seems very strange to choose this <i>one</i> company and crucify them just because they lost your data. Everybody is insecure everywhere always, and we've learned to tolerate this by pretending it's not true or that it doesn't exist or that it's not a big deal. But you know what? It is true. That truth will continue to manifest itself in the years to come. No matter how much you'd like it not to be true, your stuff will still get stolen. Usually you just don't hear about it.<p>Yes, it was stupid for them to have everybody's PII attached to that one webserver. A single point of failure should never result in compromising the whole system. But think about how that architecture would work in practice. A customer service rep still needs to get at most of your data. It's a credit bureau. Where would the data be stored in a way that a remote code exec wouldn't be able to snag it?<p>Equifax's crime boils down to "they failed to run the equivalent of sudo apt-get update on their framework." When you're managing a fleet of hundreds or thousands of machines, this is a situation that almost all of us have wound up in. If <i>we</i> can't get it right, why do you want the execs' heads to roll? Are you sure you won't be next on the chopping block?<p>Think about it this way: the time between "someone discovered a vuln in Spring" and "the attackers stole 150M credit reports" was just a few months. Are you sure Equifax wasn't a victim here? Someone threw a cinderblock through their window and made off with their trove of data.<p>Food for thought.