I hope Equifax will be learning from this, but can you tell your CEO that your core business must be shut down for 3 weeks as you upgrade and rebuild the system?
Yes, the risk is much higher than the cost. From the article:
> The company's internal review of the incident continued. Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
That bullet point lies between the "July 30th" and "August 2nd" bullet points. Based on that timeline, the vulnerability took days to patch.
That is not even close to an excuse. A remote code execution vulnerability has the potential to destroy your whole company.