A few things to think about…
For starters, Equifax bears the responsibility. To be in the business and reap the benefits they also have to accept the risk and absorb the losses as well. There are some pretty disheartening issues with their response, for sure. That said, I can’t see how our modern lending system (therefore our economy) can function without someone collecting and managing this type of data.
I’ve seen, and worked with many companies post breach and it’s not easy - everyone will pick apart even honest mistakes. The bad thing is some of these issues aren’t just trips up, some appear to be outright traps.
What’s publicly known about the breach, at least AFAIK, isn’t really enough to slip a noose around their neck just yet. The real question here, for me at least, is did they follow appropriate state of the art practices and provide the proper standard of care? Even if they did, breaches can and have occurred. If they ignored known security issues, or refused to follow proper practices that’s another thing entirely. So far, what’s known publicly is there was a app vuln that was exploited. Did they know about it and roll the dice on not patching it? Was it a in house coded app? Were proper app security coding practices followed? Were proper OWASP mitigations in place and were WAF systems and processes in place? Some of the developers here are quite familiar with an app vuln and a decision to put off fixing it due to operational, capital or other perceived costs in the short term and how that cycle can continue for far too long. Bottom line is there is a lot to consider here. Just because you are breached does not mean you didn’t do your job or didn’t do it well. But it could mean that or worse. Details matter.
Ultimately, I am a huge advocate for the best security practices. When ones thinks about a breach like this and how it might affect them, and what they think Equifax should / could have done to prevent it, also put those same practices into place in their work as well. Despite security having the highest level of visibility and acceptance it has ever enjoyed, there are still a lot of nay-saying out there - dismissing security concerns due to the effort, costs, and denials over the impacts. This comes from all walks of life - execs, administrators, developers, even board members.
Of course, security is never absolute, it is only possible to limit and manage the risk.