A banking company operating in 1999 is an entirely different context than Equifax operating in 2017. The web and its risks aren't new any more. Equifax's database being one webapp away from disclosure is entirely irresponsible - and if there is no alternative, then they'd need a kick-ass pen-testing, bug bounty, patching, WAF deploying, internal security program. If they had such a program, it would have caught this issue in multiple ways. If they weren't going to deploy the patch, they could have asserted rules in the WAF, for example. We can only assume, then, that this effort was either underfunded, poorly managed, or both.
Furthering their incompetence by linking to phishing sites in the aftermath, not offering data protection automatically, and suggesting US persons should pay them for protection (!) all point to the deeper corporate problem that is at the root of this issue, which is that they see US persons as suckers and don't really care about data privacy or information security. Otherwise, they'd have staff trained on response and they'd have social outreach folks validating URLs before posting as the company representatives.
It's totally appropriate for the CEO to resign.
