As pressure builds on Equifax to explain how criminals hacked into a massive trove of data on 143 million Americans, the list of unanswered questions is long. But most boil down to three big ones: No. 1: What measures did Equifax take to protect personal information?

No. 2: What measures should Equifax have taken to protect personal information?

No. 3: What's the gap between the answers to Questions 1 and 2?


The credit-rating agency has been so stinting about information on its hack -- even after keeping the episode secret from the public for six unexplained weeks after detecting the intrusion -- that there's no way to evaluate 1, 2 or especially 3 yet.

But notably absent from the public statements by Equifax have been key terms such as "encryption" or "system monitoring" or "penetration testing." All are staples of modern online security widely adopted across corporate America and especially within the financial services industry, given the high degree of sensitivity about the information it keeps on us all.


A breach of "143 million records either suggests a very patient, sophisticated hacker or an incredibly weak security system," said Matthew Green, a Johns Hopkins University cryptographer and security expert.

The uncommonly stern and detailed letter sent Monday by Sens. Orrin G. Hatch (R-Utah) and Ron Wyden (D-Ore.) -- the chairman of the Senate Finance Committee and its ranking Democrat -- drove at exactly these issues, warning about the hack's potential to create massive costs to consumers targeted by identity thieves and "irreparable harm" to government programs that might be inundated with fraudulent requests for refunds or benefits.

Comments: Be the first to add a comment

add a comment | go to forum thread