I recently wrote about the hard lessons learned in risk as a result of the Equifax breach. Having watched and read parts of the ongoing Congressional hearing with former CEO Richard Smith, I wanted to revisit those issues I posed in my original article as the crux of Equifax\u2019s problems, as I believe that much of what I have heard in the testimony has proven me to be right.Broken escalation processIn my last article I argued that either Equifax had no escalation process, or, if they did, that it was severely broken and reflected a systemic problem with their information security program. Smith testified that while he heard rumors of \u201csuspicious activity\u201d on July 31st, he didn\u2019t ask for a briefing, nor did anyone recommend one to him, until August 17th. Smith also admitted that after that briefing, he still \u201cdid not know the size, the scope of the breach.\u201d It took another week before the Board of Directors was briefed, showing a complete lack of concern for the privacy of the customers\u2019 data from the top down.Security starts at the top and it\u2019s clear that if the person at the top isn\u2019t making it a top priority, neither with the organization. But we are talking about a company that holds the most sensitive financial information for most American adults.Broken patching processSo, given the approach Equifax took in the handling of this breach, would it surprise one to learn that out of the 250 \u201csecurity personnel\u201d that Smith testified they employ, only one employee was responsible for patching? No it wouldn\u2019t. Nor does it surprise me that the company relied on scanning software to determine if there were any vulnerabilities in their infrastructure. Nor does it surprise me that sensitive data was left unencrypted and that there was no consistent handling of data.This demonstrates the difference between \u201ccheckbox security\u201d and \u201cdefense in depth.\u201d The checkbox security approach asks Do we have a scanner? Check! Do we have someone to patch things? Check! Do we encrypt stuff? Check! What do we do when one of these fail? What if these things are not actually sufficient to safeguard the data we have? No one is really sure, but let\u2019s agree to meet once a quarter and talk about our posture.Equifax, like so many other companies, was not committed to of Defense in Depth. In Defense in Depth, you apply \u201coverlapping systems designed to provide security even if one of them fails...Defense in depth provides security, because there's no single point of failure and no assumed single vector for attacks.\u201d (Bruce Schneir, Security in the Cloud)If there were a better system to apply defense in depth strategies to, it might be the one that stores consumers\u2019 financial information without their direct consent.Smith said forensic investigators are now looking at why the scanner failed to identify the vulnerability. Forensic investigators should instead be looking at how Equifax could spend $250M in 3 years and apparently not have an inventory of software used, established redundancy in the personnel responsible for managing patches, and a consistent encryption policy across all systems for sensitive information.So, as the Equifax investigation continues to unfold, and blame and potentially penalties are dealt out, what of the 140+ million people whose data has been lost to the darknet?Time to kill the SSN?I believe we are witnessing a tipping point for the archaic framework that needs to die and be reborn in something that is built from the ground up to operate in the highly connected world we live in.Social Security numbers have been passed around from businesses to hospitals to banks to car dealerships. They are the keys to our lives and yet are less secure than a username and password.Will the answer be found in some form of 2-factor authentication tied into a blockchain technology? I don\u2019t know. What I do know is we as 21st century netizens need a way to identify ourselves that upholds non repudiation while providing little or no trust to the person on the other end that needs to know who we are. Credit freezes should be standard - not optional and at a cost. No one should ever be able to pull a credit report without that person\u2019s explicit consent. Perhaps the application of a current technology coupled with guidelines like those found in the EU\u2019s General Data Protection Regulation (GDPR) could combine to create the system and processes we need to protect ourselves.