Whenever a big data breach happens – like the Equifax one – there is almost always a predictable order of subsequent events:
The breach happens
The affected company announces it
The news outlets pick up the story and make it known to the general public
Security researchers wonder how the breach might have happened and investigate further
Then there is the aha moment: security researchers stumble a catastrophic lack of security practices, countless numbers of vulnerabilities and breaches of well-established protocols.
Does It Have to Be Like This?
In the end, the public often knows more about the dangerous vulnerabilities in the company's website than the actual attacker. Given enough eyeballs, all bugs become more shallow – particularly once an organisation is under public scrutiny.
Going back to the series of events, you might conclude that we could completely eliminate events one to three, if there were more security researchers examining the security of their own products. So what would have happened if someone had warned Equifax about vulnerabilities on their websites before the breach happened? Would they have listened to concerned researchers?
In 2016 Equifax Was Notified That Their Website Was Vulnerable To a Cross-site Scripting Vulnerability
Basic XSS on Equifax, still working after being reported...