I don't honestly know what the mechanism of breach was for any of the more well-publicized ones was.
Even if it was due to gross irresponsibility, for which an organization like Equifax should have to pay if that's proven, it's irrelevant once the data is "out there." Like a bell, you can't "unring" it.
My central point is that no matter what the security protocol, and how good it is, there is always going to be someone who can and will break through it, even if the only purpose for doing same is bragging rights. Cybersecurity is the world's biggest game of cat and mouse, which is why some of the most notorious actors on the "I've broken in" side end up being paid some very big bucks if they decide to switch sides.
The article linked to includes the following: "This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly," says Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm. "The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred."
My only comment, and it's not to excuse Equifax, either, is that my observation and experience are that IT departments in large organizations are very often loath to apply patches until they've had something bad happen and/or a ridiculous amount of time to "analyze" same. There is this insane attitude that every patch should be treated as hugely suspect and likely, rather than highly unlikely, to break something. This is, I believe, part of the reason that Microsoft introduced the "Windows as a Service" concept with automatic updates. Any software maker wishes they could rely on their users to promptly apply patches, when supplied. This allows "everyone" to be operating on the same metaphorical page. The truth is, in practice, far far too many people and organizations will resist applying updates tooth and nail, very often with entirely predictable and devastating results (of which this particular incident is but one).
No one has put it better than our own usasma, who wrote the following about Windows Updates, but which is just as applicable to updates in general:
There really isn't a point to checking for updates and not installing them. . . It's important to install all available updates. I've been doing this since the days of DOS, and I still don't have the confidence to pick and choose among updates. There are just too many variables involved - and most people can't evaluate the full consequences of installing/not installing updates.
~ John Carrona, AKA usasma on BleepingComputer.com, http://www.carrona.org/
The risk from installing updates, particularly if you are in an enterprise setting and doing so on a small number of testing and production machines before going wide, is much smaller than the risks posed by refusing to install them.
Edited by britechguy, 14 May 2018 - 11:30 AM.