Exactly; seems like they fell prey to a sort of decision paralysis (perhaps due to revenue lost in implementing protection). A lot of companies are having this problem. Regulation is inevitable & required.
Its earlier fear was for _its own data_, where it had skin in the game: "Investigators from the company and the FBI came to view events at Equifax as potentially a huge theft of data—not of consumers’ personal data, as happened with the subsequent 2017 hacking of Equifax’s files, but of confidential business information."
Loss of info it collected on the rest of us is no skin off its nose and falls under the Don't Care category.
I understand that they hired some people to improve security. They didn't immediately overhaul everything, but how could you? You can't replace a whole organization at once. There's a lot of institutional knowledge and things in motion even at dysfunctional ones.
