The three big questions Equifax hasn't answered

No. 2: What measures should Equifax have taken to protect personal information?

No. 3: What's the gap between the answers to Questions 1 and 2?

...

The credit-rating agency has been so stinting about information on its hack -- even after keeping the episode secret from the public for six unexplained weeks after detecting the intrusion -- that there's no way to evaluate 1, 2 or especially 3 yet.

But notably absent from the public statements by Equifax have been key terms such as "encryption" or "system monitoring" or "penetration testing." All are staples of modern online security widely adopted across corporate America and especially within the financial services industry, given the high degree of sensitivity about the information it keeps on us all.

...

A breach of "143 million records either suggests a very patient, sophisticated hacker or an incredibly weak security system," said Matthew Green, a Johns Hopkins University cryptographer and security expert.

The uncommonly stern and detailed letter sent Monday by Sens. Orrin G. Hatch (R-Utah) and Ron Wyden (D-Ore.) -- the chairman of the Senate Finance Committee and its ranking Democrat -- drove at exactly these issues, warning about the hack's potential to create massive costs to consumers targeted by identity thieves and "irreparable harm" to government programs that might be inundated with fraudulent requests for refunds or benefits.