If the bank failed to apply industry-standard security techniques then yeah, I'd say the bank leaked money. The criminals are obviously the most culpable, but when you're storing more than 100 million SSNs it's not unreasonable to expect your IT department to:
* Update their dependencies within two months of a critical security vulnerability being patched (Mar 7 to May 12).
* In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).
* Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.
> Update their dependencies within two months of a critical security vulnerability being patched (Mar 10 to May 12).
They thought they did, but failed.
> In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).
Impossible to guarantee. A sophisticated enough attack might never be detected, regardless of the competence of the security department.
> Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.
It is impossible to so completely segment a network. If I can get the data via an authorized program, that means there's a path between networks and a hacker can potentially exploit that path.
IMO, Leaked is probably the better word here. Equifax did not steal the data in the first place either, they recorded/copied it from other sources which leaked or sold it to them.
Every data source (such as a bank or credit card) provides that data to CRAs because consumers granted permission to do so when entering into a business relationship. Either that, or it's publicly available data purchased from aggregators.
lolinder|2 years ago
* Update their dependencies within two months of a critical security vulnerability being patched (Mar 7 to May 12).
* In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).
* Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.
g051051|2 years ago
They thought they did, but failed.
> In the event of a breach, detect it within a reasonable timeframe (76 days is not reasonable when you're the Fort Knox of financial information).
Impossible to guarantee. A sophisticated enough attack might never be detected, regardless of the competence of the security department.
> Have a reasonably well-segmented network such that a compromise in a single user-facing web app doesn't lead to your entire network being compromised.
It is impossible to so completely segment a network. If I can get the data via an authorized program, that means there's a path between networks and a hacker can potentially exploit that path.
drewmol|2 years ago
g051051|2 years ago
Every data source (such as a bank or credit card) provides that data to CRAs because consumers granted permission to do so when entering into a business relationship. Either that, or it's publicly available data purchased from aggregators.