Besides the severity and scope of the pilfered data, the Equifax breach also stands out for the way the company has handled the breach once it was discovered. For one thing, it took the Atlanta-based company more than five weeks to disclose the data loss. Even worse, according to Bloomberg News, three Equifax executives were permitted to sell more than $1.8 million worth of stock in the days following the July 29 discovery of the breach. While Equifax officials told the news service the employees hadn't been informed of the breach at the time of the sale, the transaction at a minimum gives the wrong appearance and suggests incident responders didn't move fast enough to contain damage in the days after a potentially catastrophic hack came into focus.
What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks.
It was bad enough that Equifax operated a website that criminals could exploit to leak so much sensitive data. That, combined with the sheer volume and sensitivity of the data spilled, was enough to make this among the worst data breaches ever. The haphazard response all but guarantees it.