Most security breaches are because of incompetence (typically management/oversight, rather than technical).
Equifax didn't have good oversight of which systems were patched and instead relied on a single employee to remember to do it. One got forgotten. People broke in using an old exploit and then leveraged into Equifax's network.
Equifax's first problem was bad patch policy. Its second problem was lack of network isolation/intranet security/onion-ing. As soon as an edge server was compromised the attacker hit the jackpot and had everything.
The last problem was lack of audit/accountable into who/what was accessing sensitive data on the intranet. If they had that they still would have been compromised and lost data, but not every customer's record (which took a long time).
yes people are unreliable that's why we need a more resilient means to establish identity like PKI. Consider PGP for example, they could put QR codes on social security cards for all I care just fix the real problem for once.
Yep, but now they will be able to play victim card and wrap themselves in American flag. The PR value of this is amazing.
Frankly, this really does explain why they were treated with kids gloves after the incident. I was certain after insider trading came to light, the company will fight with US government to stay alive.
