Even in an era when cyberattacks are commonplace, it’s hard to think of one that made bigger fools of consumers and lawmakers alike than the Equifax breach. The credit-reporting agency, which keeps dossiers full of background check–worthy personal information on nearly all American adults, exposed the data of more than 145 million people. That’s nearly half the U.S. population—at least one person in every family, it’s estimated—who are now at greater risk of having their identities stolen, their financial accounts broken into, their credit ruined.
What’s even more infuriating is that Equifax (EFX) could have averted the disaster just by patching a known vulnerability in its software. Instead, the company dithered for months, allowing hackers to strip-mine Social Security numbers, addresses, credit card numbers, and more from mid-May through July, it said. When Equifax finally discovered the disaster, its first response was not to warn consumers. After waiting nearly six weeks before disclosing the breach in September, it hatched a strategy to turn its victims into paying customers—by signing them up for credit monitoring services, which originally contained fine print depriving them of the right to sue.
What is the penalty for such rank corporate incompetence? The answer, under current rules, is nothing much. Unlike with food, medicine, toys, and other consumer goods, there are few criminal or civil laws on the books that punish companies when they’re careless with consumers’ data. Congressman Greg Walden (R-Ore.) articulated the prevailing sense of impotence during a House hearing about the breach: “I don’t think we can pass a law that fixes stupid.”
It’s of course easy to rail against Equifax and its executives (some of whom sold millions of dollars’ worth of stock before the breach was disclosed, avoiding an initial 35% drop). But the problem goes deeper. Equifax and the two other major credit-reporting agencies—Experian (EXPGY) and TransUnion (TRU)—enjoy nearly monopolistic control over a critical industry. “The culture of the big three is to underinvest in policies to protect consumers,” says Chi Chi Wu, a National Consumer Law Center attorney.
And why should they? They have little incentive to protect consumers’ information: The companies’ real customers are banks, mortgage providers, and marketers to whom they sell that data—business that accounted for nearly two-thirds of Equifax’s $3.1 billion in revenue last year. Indeed, Equifax may actually profit off its own fiasco: If just one out of 10 victims were to buy its credit monitoring services, which it is offering for free for only a year, it would double its annual revenue. And boycotts are hardly an option: To opt out of a credit score is to opt out of modern financial life itself. As Equifax’s now former CEO Richard Smith testified in October, if consumers were allowed to abandon the credit system, it would be “devastating to the economy.”
The better answer is systemic reform to the credit oligopoly. One proposal, cosponsored by Sen. Elizabeth Warren (D-Mass.), is to force the credit bureaus to provide consumers with a free and easy way to freeze their credit. Other proposed reforms could compel credit bureaus to take cybersecurity more seriously, such as by mandating adherence to national technology standards and software updates. Megan Stifel, an attorney and cyberexpert with digital rights group Public Knowledge, is in favor of requiring companies that host sensitive data to insure themselves against a breach, and others suggest it may be time for criminal laws to apply to executives who are grossly negligent with private information.
While politicians of both parties are now proposing consumer protections, they are likely to face heavy resistance from the industry—TransUnion, for one, has been hiring lobbyists in the wake of the Equifax scandal. Still, as breaches become increasingly common—and galling—there will be growing pressure to make sure that the custodians of that data face real penalties when they let down their guard.
The lucrative business of credit reporting appears to be chugging along despite the astonishing scale and potential implications of the Equifax data breach.
145.5 million people: Number of U.S. consumers who had their personal data stolen by hackers in the Equifax breach—nearly half the country’s population.
$9.4 billion: Combined annual revenue of the three big credit bureaus—Equifax, Experian, and TransUnion—who together control consumer credit scores.
$16 billion: Money stolen as a result of identity theft last year in the U.S., according to Javelin Strategy & Research. That’s up 5% from 2015 and poised to rise further.
24%: Amount Equifax’s shares have fallen since the hack. That relatively modest loss suggests investors don’t expect the stock price to go to zero.
A version of this article appears in the Nov. 1, 2017 issue of Fortune with the headline “The People vs. the Credit Oligarchs.”