Burglary victims should be your first consultation, because most people who weren't burgled were probably just lucky, or were burgled but haven't realized it yet.
If there are 10 houses, a burglar tries to get into all 10 but only succeeds on 2, then you should talk to the 8 owners who successfully protected their houses. If there are 1000 houses, a burglar tries to get into 10 but doesn't tell you which 10, and succeeds on 2, you should talk to those 2 owners because they know for a fact what can fail. 990 owners will just say "do what I do" without having any evidence that their strategy is actually safe.
Or, you know, maybe stop talking to homeowners, victims or not, and start talking to people who make locks and safes. Actual subject matter experts rather than targets.
CEOs, at best, will be proxies for whatever security personnel they have on staff and we have no way of evaluating the credentials of those security staff. At worst, they'll be advocating for policies that reduce their exposure/costs at the expense of greater overall fraud costs.
The senate should use their own knowledgeable proxy in this case. NIST has already shown itself capable of creating security standards of a reasonable quality. Run another public competition for a national ID system capable of replacing SSN and let real security professionals propose (and then debate) a way out of the current mess. Senators can then codify the results of that process into law.
> Or, you know, maybe stop talking to homeowners, victims or not, and start talking to people who make locks and safes. Actual subject matter experts rather than targets.
You want to talk to the burglars. They already know the locks and safes and likely know even better how to break them than the creators. In this case, you want to talk to hackers.
The reason Congressional panels do things like this, is to put on a good show. They like to be seen dealing with higher level matters/people as a demonstration of stature.
No - the problem here isn’t hacking, it’s allowing a fixed, easily learned number be a sole proof of ‘identity’. SSNs were used in identity theft long before hackers.
Technically, it is still only one data point: we should probably run some kind of controlled study to verify that this is actually a problem before we go overboard.
Ok, so why didn't they? Should we ask TransUnion what went wrong at Equifax, and what laws and regulations are needed, if any? Or should we ask Equifax?
The parent post was sarcasm. Equifax did not follow security practices that are common and widespread in the industry. And by industry I don't mean credit reporting companies, but companies that have systems connected to the internet.
Make the liability for data safe keeping in the company that holds the data. You don't see medical records have issues like this, because the laws surrounding it is quite fierce.
I will actually answer your question, because Equifax has already explained:
One guy was supposed to install the update, but forgot for some reason. Everything was his fault.
Did you expect anything else from a company so incompetent? With a paltry $3b/year, they can't be expected to pay for more than one person to install updates.
You force companies to secure data by giving out enormous fines to the company and criminally charging the negligent or incompetent corporate officers.
If there are 10 houses, a burglar tries to get into all 10 but only succeeds on 2, then you should talk to the 8 owners who successfully protected their houses. If there are 1000 houses, a burglar tries to get into 10 but doesn't tell you which 10, and succeeds on 2, you should talk to those 2 owners because they know for a fact what can fail. 990 owners will just say "do what I do" without having any evidence that their strategy is actually safe.