You present a fallacy. No, a rational company with accountability for its data doesn't outsource their IT security or let the intern access production. They take their job seriously and prevent something like this from happening by building security into their architecture.
I have worked for companies that recognize they are liable for protecting the data they hold, and that it only takes one breach for trust to be destroyed. We spent countless hours hardening, compartmentalizing, and monitoring our infrastructure. The nihilistic implication that nothing can be done is maddening.
I don't disagree with that sentiment but you have to deal with the whole triumvirate - Equifax, Experian and Transunion.
Does Lexis Nexus collect financial data on individuals? I thought it's focus was research
Notably it's used by Bank of America
More information: http://www.latimes.com/business/lazarus/la-fi-lazarus-credit...
Are they a distant 4th then?
If you put a security alert on on your profile with one of the big 3 agencies it automatically propagates to the other 2. I wonder why it doesn't propagate to this agency as well.
All the CRAs endure attacks at a scale that are difficult to comprehend. It's frankly a surprise that something like this hasn't happened before to any one of the big 3.
Then again, I once did work for a bank, and witnessed an event where user PINs were discovered to be publicly available if one happened to know the magic URL. This discovery was made through the process of a pen-test team sharing their findings back to development, who in turn extended their findings based on what developers knew about the system. Forensics done after the discovery revealed no cases of anyone actually finding the magic URL, which was a big relief for the company. So maybe the banks aren't as strong as we think, either. We have quite a few payment breaches to look back to as evidence.
Can you cite a source for how we "now know how terribly fast and loose Equifax was operating"?
Equifax is a CRA and is treated as a financial institution under the applicable laws, like banks are.
> Then again, I once did work for a bank, and witnessed an event where user PINs were discovered to be publicly available
Then you should know better than to simply claim that a company that suffers a breach is somehow inherently incompetent or uncaring about security.
THIS. And in this case we have blatant evidence of negligence- There is absolutely zero excuse in this day and age to not keep operating systems patched up with security patches. There is no financial excuse, there is no logistical excuse, and given the sensitivity of the data, there is no ethical excuse. Take the responsibility seriously, or please just go off and die in a fire. (Or, if you're an Equifax executive, retire at the height of your incompetence.)
Which is why I shamelessly say: Fuck Richard Smith, fuck Equifax, fuck Susan Mauldin, and fuck their entire IT management staff. What the fuck is wrong with you people?
Disclaimer: I was recently hacked/had my identity stolen, and although I was fortunate to only have to wait 2 weeks to get back access to everything, I may be a little sore about stuff like this.
Equifax needs to wipe its data and all extant backups. Then it can be sold (for maybe ten dollars).
There are a lot of irrational companies in the world by that standard.
