Hacker News new | past | comments | ask | show | jobs | submit login

Were the companies you worked for dealing with data at the scale of Equifax? Were they under the kind of unceasing attack that the Equifax systems are? Do you think you could have withstood that kind of assault on your systems?

All the CRAs endure attacks at a scale that are difficult to comprehend. It's frankly a surprise that something like this hasn't happened before to any one of the big 3.




It's only surprising because we now know how terribly fast and loose Equifax was operating. I certainly assumed they knew their job and were operating more akin to a bank in terms of data protection.

Then again, I once did work for a bank, and witnessed an event where user PINs were discovered to be publicly available if one happened to know the magic URL. This discovery was made through the process of a pen-test team sharing their findings back to development, who in turn extended their findings based on what developers knew about the system. Forensics done after the discovery revealed no cases of anyone actually finding the magic URL, which was a big relief for the company. So maybe the banks aren't as strong as we think, either. We have quite a few payment breaches to look back to as evidence.


> It's only surprising because we now know how terribly fast and loose Equifax was operating. I certainly assumed they knew their job and were operating more akin to a bank in terms of data protection.

Can you cite a source for how we "now know how terribly fast and loose Equifax was operating"?

Equifax is a CRA and is treated as a financial institution under the applicable laws, like banks are.

> Then again, I once did work for a bank, and witnessed an event where user PINs were discovered to be publicly available

Then you should know better than to simply claim that a company that suffers a breach is somehow inherently incompetent or uncaring about security.


A banking company operating in 1999 is an entirely different context than Equifax operating in 2017. The web and its risks aren't new any more. Equifax's database being one webapp away from disclosure is entirely irresponsible - and if there is no alternative, then they'd need a kick-ass pen-testing, bug bounty, patching, WAF deploying, internal security program. If they had such a program, it would have caught this issue in multiple ways. If they weren't going to deploy the patch, they could have asserted rules in the WAF, for example. We can only assume, then, that this effort was either underfunded, poorly managed, or both.

Furthering their incompetence by linking to phishing sites in the aftermath, not offering data protection automatically, and suggesting US persons should pay them for protection (!) all point to the deeper corporate problem that is at the root of this issue, which is that they see US persons as suckers and don't really care about data privacy or information security. Otherwise, they'd have staff trained on response and they'd have social outreach folks validating URLs before posting as the company representatives.

It's totally appropriate for the CEO to resign.


> We can only assume, then, that this effort was either underfunded, poorly managed, or both.

Pure conjecture on your part. You have no insight into their security program. The only thing you can accurately infer is that they missed this one.

The phishing site thing was pretty stupid, though, I agree.


> Equifax was negligent to spill all that data, but a business model that requires all that data in one place is itself a form of negligence. - Matt Blaze

http://thehill.com/opinion/technology/350197-equifax-breach-...


I'm not sure how this opinion piece figures in to anything. He's entitled to his opinion like anyone else, but his saying it's negligence, without any legal basis for the claim, is just puffery.


You disagree that the business model itself is a form of negligence?


Of course. You don't?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: