There are a few things here that <i>shouldn't</i> surprise me[0], but do. A credit reporting agency's one product is personal data (basically, it's you). Leaking that data basically makes it worthless (or worth a lot less) and besides affecting the people who's data was leaked[1], it damages the product of their competitors. You'd <i>think</i> that would be something that's protected with <i>so many layers</i> that a breach of their web property wouldn't make much of a difference[2].<p>At previous employers, without going into terribly much detail, we had an asset that was treated with the kind of security that something like this should have been treated with. It was on a segregated network that could only be accessed through proxy hosts, requiring two-factor authentication. The proxy hosts were hardened (only the specific, needed, services/components installed/running, audited and firewalled to death). The devices in the secure network could not see the corporate network, let alone the Internet and the corporate network/internet could not see these devices. Even special 'management interfaces' for corporate devices were segregated. This was <i>in addition</i> to all of the rigor put in to securing each endpoint.<p>Companies need to realize that security is purely a defense related behavior. You have to be "perfect" 100% of the time, but your attacker need only be right a small number of times. The goal is to <i>increase the number of times</i> an attacker has to be <i>right</i> to get at your data. From ensuring your database accounts can only execute specific things[2], that your web servers are hardened and isolated to limit exposure, to properly configured firewalls (including application-layer firewalls/log analysis). And ensuring that employee access to high-value targets is as minimal as possible and protected thoroughly. There are both "preventative" and "reductive" technologies that need to be put in place. Preventative is designed to stop a breach, reductive is designed to ensure that if breached, the breach is either worthless (i.e. proper password hashing) or caught and interrupted before <i>all</i> of the data is exfiltrated. It's a lot easier to explain to investors (and your fellow countrymen) that a couple of million user accounts were exposed than it is to explain that 124 million of them left.<p>From the <i>looks</i> of it, it appears Equifax treats security like most large, non-tech businesses -- an expense that should be cut as deeply as possible. It's probably fitting that they have the word "fax" in their name. If I had a guess, they probably have mandatory security auditing requirements, they paid the least they could to meet that regulation, and got the answer they paid for (or found someone to give them the answer). I'll also guess that this PIN issue will turn out <i>not</i> to be the worst of the security practices in place -- I mean, how many weeks did they wait to report this[3]?<p>[0] I have a few years' history at a large corporation working in and around security. I've seen the ugly, though I feel that we handled things very well (incredibly well compared against Equifax!)<p>[1] i.e. <i>not</i> their customers.<p>[2] I'm thinking in terms of a typical SQL server, where one can eliminate table/view level access in favor of stored procedures that limit what they provide and require a level of knowledge of the operation of the system (and can be tracked by logging in a manner that identifies behavior that's not normal).<p>[3] And is it just me being overly cynical or does anyone else think that they waited until a historic hurricane would dominate the news cycle before going public with it? It was pretty good timing, really -- coming right off of Harvey and right into Irma, it's easy to miss this story among the other big news (one 'general news/politics' site that I expected to see <i>all kinds</i> of headlines on had it quite low on the fold for a day and nowhere to be found, today). Or maybe they were just waiting to give time for more of their higher-ups to sell stock. /s