> I'm not asking you whether the House Republicans would call the expired certs negligent, or the security underprioritized. I'm asking you, as the reader of a technical forum.

No, that's not negligent. Nor was security "underprioritized". If you read the reporting on the issue (whether the government report or just reputable news), it show solid processes and procedures, but there were implementation flaws. There is no amount of security that will ever be perfect.

> Do you believe everything the government tells you? Or here, what one party tells you? At the very least, read the minority report linked elsewhere in this thread, and interpolate.

Considering that the report matches all the other reputable reporting on the issue? Yes, I believe it. Equifax is claiming "factual errors", but I'd have to see their response before commenting on that.

> Nowhere near huge enough

That's your opinion, but the market has decided otherwise.

> Equifax could care less what its unwilling inventory thinks of it.

Correct. I was talking about their customers...the businesses that supply and use their data and services.

> Name one victim whose damages are large enough to merit hiring a lawyer to comb all the contracts to identify the line where a bank promised that Equifax promised that the victim's data would be safe, and I'll show you a breach of contract. Hint: it's a different line for each victim.

Once you do that, prove that the information came from the Equifax breach, and not one of the dozens of other breaches, let alone the 4 other large breaches I cited.

> the damages to the public are "massively distributed" and infeasible to pin down, which is why there should be a criminal penalty, like we do for say, ozone-depleting chemicals.

Or their negligible and impossible to detect at any meaningful level.

> (sigh) you're probably right.

It's troubling that you seem to think violence is some sort of solution to any problem, let alone this problem.