I understood the comment about aiding and abetting to be a reference to the fact that Equifax leaked about half of all Social Security Numbers back in 2017. For 145 million Americans the "harvested data" you refer to was data that the credit bureaus hoovered up and then failed to protect.
If the bank failed to apply industry-standard security techniques then yeah, I'd say the bank leaked money. The criminals are obviously the most culpable, but when you're storing more than 100 million SSNs it's not unreasonable to expect your IT department to:
* Update their dependencies within two months of a critical security vulnerability being patched (Mar 7 to May 12).
* In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).
* Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.
> Update their dependencies within two months of a critical security vulnerability being patched (Mar 10 to May 12).
They thought they did, but failed.
> In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).
Impossible to guarantee. A sophisticated enough attack might never be detected, regardless of the competence of the security department.
> Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.
It is impossible to so completely segment a network. If I can get the data via an authorized program, that means there's a path between networks and a hacker can potentially exploit that path.
Oh, never mind then. Clearly since they thought they updated the dependency it's all good.
> Impossible to guarantee. A sophisticated enough attack ... It is impossible to so completely segment a network ...
While I will acknowledge that this seems to have been Equifax's approach to security (it's impossible to do completely so why bother doing it at all?), this is not widely accepted as a philosophy of security in any industry.
That a bank could still be robbed by a military incursion from a neighboring nation state is not sufficient reason to leave the vault door open overnight. The record abundantly shows [0] that Equifax had security protocols that were weak enough that no sophisticated actor was needed to bypass their protections.
As far as their failure to detect the breach, this is what the House investigation concluded:
> Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
And they should have been held accountable, were they?
If such an entity demonstrates gross negligence yet there are no repercussions, perhaps it is worse than negligence, it is outright larceny - Equifax could be characterizes as a govt supported cartel.
It is not unreasonable then we should actually physically destroy their premises and all related collected information as an active threat to the nation, as well as re-issuing all sensitive information to all affected individuals.
As for what to do instead, credit reporting need not be the important solution, rather one part of an accepted solution, such as multiple scores issued to multiple numbers that are not tied together by a single bureau. Then when credit checks are pulled it is not sufficient to use a single service and the incentive to illegally utilize said information decreases, as the relevance is reduced for any one credit check.
> And they should have been held accountable, were they?
Huge stock hit (since recovered, of course), top executives lost their jobs, fines, had to give away a paid product, extra oversight, cost of fixing security, several rounds of layoffs for the employees, etc.
> It is not unreasonable then we should actually physically destroy their premises and all related collected information as an active threat to the nation
This is why we can't get real, meaningful change. No wonder our "leaders" think so little of us.
IMO, Leaked is probably the better word here. Equifax did not steal the data in the first place either, they recorded/copied it from other sources which leaked or sold it to them.
Every data source (such as a bank or credit card) provides that data to CRAs because consumers granted permission to do so when entering into a business relationship. Either that, or it's publicly available data purchased from aggregators.
Wildly unfeasible. The consumer does not have a choice, they do not have an ability to live within their means without incurring credit checks.
Take housing - perhaps it is possible to purchase outright a home with cash, however you will not find generally anyone willing to take payment in cash.
If you cannot afford that and are not taking a loan, then you must rent. However you cannot rent without a credit score.
So no the consumer did not consent to anything. This is a ridiculous and dishonest viewpoint.
