I can’t remember what I got but yes it amounted to nothing. Free credit monitoring that had a million upsells and dark patterns meant to make them more money. That’s my recollection but it’s all fuzzy because we’ve all been breached so many times.

A tiny penalty.

The CIO got a $3M bonus, too. Odd thing is that she had a music degree and little experience in IT, but was an old friend of the board members.

Not enough downvotes for this. I'm assuming this is all BS considering you got all the details wrong. It was the CEO who got a $3 million bonus in 2016, not the CIO. Susan Mauldin, who earned a music degree in college, was the Equifax CISO, not their CIO.

The reason I'm so salty about your response is when the breach happened, there were tons of news reports denigrating the CISO because she had a music degree. There may be a ton of reasons she wasn't good at her job (though it's hard to say as CISO is often a "sacrificial lamb" job anyway), and I'm certainly not defending Equifax, but I take major issue with the implication that a music degree makes someone unqualified for a tech job.

First, as she was CISO, she was presumably done with college many, many years ago. Lots of people have college degrees that aren't necessarily directed to the career they end up in. More importantly, though, I've found that there is a direct correlation between highly trained musicians and great software engineers. I don't know if it's a "same part of the brain" thing or whatever, but I'm actually astounded at the sheer number of "best of the best" software engineers I've worked with that are classically trained musicians. It's to the point that when hiring I give "extra points" if you will to musicians because, it my experience at least, the correlation is so strong.

So, frankly, you can take your "she had a music degree" shade and shove it.

As a former insider, I agree with all of this. Thanks for being a voice of sanity.

The music degree scrutiny is unnecessarily derogatory and borderline misogynistic. She was a fine executive and predictably the first one thrown under the bus. I can't say she revolutionized anything, but I had no complaints about her competence. (By comparison, the male C-levels in the company I currently work under have relevant degrees from impressive institutions. I see them watching porn, engaging in insider trading and doing God knows what on Tor...while our latest two product launches failed.)

Equifax's fate was sealed by the CEO himself. We had highly-competent security teams that kept up with CVEs, ran CABs, everything a "secure" org should do...but there was always a top-down culture of "I'm not saying don't patch systems, but don't impact production" at every level. This sort of event was inevitable under Smith's leadership.

It was also widely reported that she had no apparent security background, so maybe provide some evidence that the shade was unwarranted?

Of course lots of people get into tech from non tech but it's not a reason to go off on the commenter with an angry screed.

Also, she was CSO not CISO or CIO not that there's much of a difference between those titles in practice anyway.

Show me any reference that says she didn't have a security background in her actual job experience. I couldn't find her roles but she had jobs at First Data, Sun Trust Bank, and Hewlett Packard. This article makes the same point: https://www.thesslstore.com/blog/equifaxs-cso-music-major-co...

I've worked with several senior people ("Principal Enterprise Architect", etc...) who were music majors, and as a rule they were terrible at their jobs. They just... didn't care about anything even vaguely related to computers. Without exception they got into their positions through nepotism, ass-kissing, or dirty politics. None got there through talent.

People who like computers do it as a hobby. They learn programming at a young age, they get a CS degree or a hard science degree, and then they spend their spare time on tech forums like HN.

People who don't like computers play music, learn painting, or do something else. They get degrees in the arts or humanities. They spend their spare time playing music at the local pub, or whatever.

PS: One of the worst programmers I had ever met is also one of the best musicians I had ever met.

Sorry, this is utter bullshit. Got into engineering late, and this mindset is just typical engineer snobbery. It's like the toxic "10x engineer" trope that also needs to die, as if taking an unconventional career path or not living and breathing open source contributions and tech blogs in your spare time means you aren't a Real EngineerTM

> People who like computers do it as a hobby. They learn programming at a young age, they get a CS degree or a hard science degree, and then they spend their spare time on tech forums like HN.

Well that's me and trust me, you don't want me in charge of any IT department. Maybe it's cause I also like music.

Plenty of us like painting and programming. Your brush is way too broad man.

Sorry you had that experience, but that certainly wasn't mine. Don't want to reveal too much but some very high level people in the tech world that you've probably heard of (or at least heard of their companies) have strong musical backgrounds.

Very high level people in the tech world are often politicians, climbing the ladder through their social skills.

I've observed an inverse relationship between technical skill and career progression in all technical industries.

It's always the pimply junior contractor tech who is the Global Administrator doing the actual work, and the "very high level people" struggle with copy-paste from one email to another.

That's pretty descriminating

> but I take major issue with the implication that a music degree makes someone unqualified for a tech job

OP never said 'a tech job', it is implied it would make someone unqualified for a CISO job though. And as a general rule, I tend to agree.

That's total bullshit. She was a music major in college, presumably some 20 or so years before her job at Equifax, and in the interim she had jobs at major banks and tech companies. People act like she was a musician until just before she plopped into Equifax.

Sundar Pichai majored in metallurgy engineering. How much of his college coursework do you think he uses day-to-day?

You should read the approved judgements with the various State AGs that outline the measures, Government oversight and reporting Equifax is still required to do to prevent a future occurrence.

Should it happen again then you would very likely hear for calls for Gov to step in and take direct control of the firm.

> Should it happen again then you would very likely hear for calls for Gov to step in and take direct control of the firm.

We heard calls for similar last time, but I don't think anybody expected the legal/regulatory response to be anything resembling an existential threat to Equifax, and it wasn't. I don't see why the second time would be any different—we are surrounded by examples of how our dogshit government is utterly derelict in its duty to protect workers and consumers, and arguably complicit across the vast scope of corporate abuse of the same.

When anyone talks about Equifax's "customers" that means Government at all levels along with every corporate who isn't using a competitor. I would think a takeover similar to what happened with Fannie Mae/Freddy Mac could happen as much to maintain Equifax as a going concern and protect the credit markets than an actual penalty. Consumers still get screwed.

So, treated the same way as banks after the GFC then, but without needing to give them money as well?

Could you imagine how well bailing out Equifax to pay its legal bills would go down?

Does it matter if the worst happened? It will be irrelevant 24 hours later.

make sure to become too big to fail before you fail