More important are two things: the moat and the motive. The moat is the one between communications and applications. Communications say things, and applications interact with things. There are crossover areas, but something like email is designed and overwhelmingly used to say things, while websites and apps are overwhelmingly designed and used to interact with things. The moat between communication and action is important because it makes it very clear what certain tools are capable of, which in turn lets them be trusted and used properly. We know that all an email can ever do is say something to you (tracking pixels and read receipts notwithstanding). It doesn't download anything on its own, it doesn't run any apps or scripts, attachments are discrete items, unless they're images in the HTML, which is itself optional. Ultimately the whole package is always just going to be a big , static chunk of text sent to you, with the occasional file riding shotgun. Open it a year or ten from now and it's the same email. And that proscription goes both ways. No matter what you try to do with email, you can only ever say something with it -- with another email. If you want to do something, you leave the email behind and do it on the other side of the moat.
While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.
As for tax ID numbers, the Equifax spokeswoman said they "were generally housed in the same field" as Social Security numbers. She added that individuals without a Social Security number could use their tax ID number to see if they were affected by the hack. Equifax also said, in response to questions from The Wall Street Journal, that some additional drivers' license information had been accessed. The company publicly disclosed in its Sept. 7 breach announcement that drivers' license numbers were accessed; the document submitted to the banking committee also includes drivers' license issue dates and states.