If Experian failed to patch...
...then I hope they get their hind legs sued off. I'm one of the poor buggers whose info is now public domain thanks to them. What kind of security people do these idiots have working for them? I heard that they hired a security firm AFTER they were penetrated. WTF?
You folks in the EU are lucky with the new data protection laws coming over there. If we had those laws here, and they were in effect now, Experian would likely be going bankrupt, as it deserves if it was penetrated due to a known, but unpatched vulnerability.