Last week, Equifax — one of the country’s three major cred­it-report­ing agen­cies along­side Exper­ian and Tran­sunion—revealed that its secu­ri­ty appa­ra­tus had been breached. ​“Hack­ers” obtained pri­vate finan­cial infor­ma­tion the com­pa­ny held on over 140 mil­lion Amer­i­cans. This is the third major secu­ri­ty breach Equifax has suf­fered in the past two years, and it is by far the worst. Cyber­se­cu­ri­ty experts call it a 10 out of 10 on the cat­a­stro­phe scale — with the neg­a­tive con­se­quences poten­tial­ly last­ing for decades.

The scope of information obtained by the Equifax hackers likely won’t be known for many years.

Equifax became aware of the hacks on July 29 and the company’s top brass took imme­di­ate action. But rather than mov­ing to alert the pub­lic that their infor­ma­tion could be com­pro­mised, on August 1 and 2, three lead­ing exec­u­tives — includ­ing the company’s chief finan­cial offi­cer (CFO) John Gam­ble—sold near­ly $2 mil­lion worth of shares in the com­pa­ny. Traders also noticed a sud­den — and sus­pi­cious — sell­ing of Equifax stock options.

A stock option is the right to sell stocks in the future at a fixed price now. If exec­u­tives knew the stock was going to quick­ly drop in val­ue once the breath was made pub­lic, and decid­ed to sell stock options that weren’t ​“exer­cis­able” until after the com­pa­ny planned on mak­ing the breach pub­lic, that would at the very least amount to dubi­ous legal behavior.

In July, Equifax list­ed 260 such trad­ed stock options. In August, the month the com­pa­ny learned of the breach, that num­ber jumped ten­fold, to 2,600.

An Equifax spokesman said that exec­u­tives ​“had no knowl­edge that an intru­sion had occurred at the time they sold their shares.” Accord­ing to Bloomberg News, how­ev­er, none of the sales were sched­uled in advance with the Secu­ri­ties Exchange Com­mis­sion, a com­mon prac­tice to avoid accu­sa­tions of insid­er trad­ing. And it’s dif­fi­cult to believe the CFO wouldn’t have imme­di­ate­ly been informed about the largest secu­ri­ty fail­ure in the corporation’s his­to­ry. Gam­ble has been with the com­pa­ny since 2014 and has only once sold shares pri­or to last month’s sale.

A lack­lus­ter response

Com­pared to the stock-sell­ing extrav­a­gan­za, Equifax’s cus­tomer-ser­vice response to the ​“dis­ap­point­ing event,” as CEO Richard Smith called it in a press state­ment, has been tepid. The com­pa­ny didn’t pub­licly dis­close the hacks for over a month. In the mean­time, Equifax hired a cus­tomer-ser­vice agency to assist with the vol­ume of calls they’d be receiv­ing once they did. Yet the com­pa­ny didn’t inform the agency of whom was like­ly affect­ed by the breach, so when peo­ple start­ed call­ing in, the out­sourced con­tact cen­ters were unable to pro­vide use­ful information.

The com­pa­ny also offered a one-year free tri­al with Truste­dID — an iden­ti­ty pro­tec­tion com­pa­ny acquired by Equifax in 2013. With TrustedID’s cred­it-mon­i­tor­ing ser­vices, those who signed up would be able to defin­i­tive­ly tell if their finan­cial data was exposed through the breach.

How­ev­er, the ser­vice appeared to come with a catch. Equifax’s Terms of Use spelled out that by sign­ing up, cus­tomers would waive the right to par­tic­i­pate in a class-action law­suit. After a social-media back­lash, Equifax clar­i­fied that the ​“arbi­tra­tion clause and class action waiv­er includ­ed in the Equifax and Truste­dID pre­mier terms of use does not apply to this cyber­se­cu­ri­ty incident.”

Pri­or to last week, it’s doubt­ful most Amer­i­cans knew what Equifax was. But since the breach was revealed, many have ques­tioned why a com­pa­ny they’ve nev­er heard of or signed up for has access to names, address­es, social secu­ri­ty num­bers, cred­it card num­bers and a slew of oth­er per­son­al details stolen by hackers.

The truth about cred­it scores

Equifax is a cred­it-report­ing agency. When you apply for cred­it, the cred­it score that deter­mines the inter­est rate lenders will offer you like­ly comes from Fair, Isaac and Com­pa­ny (FICO) — 90 per­cent of ​“top” lenders use them for cred­it scor­ing. FICO became the stan­dard scor­ing sys­tem in 1995, when Fan­nie Mae and Fred­die Mac began using it to decide on their mort­gage sales.

Cred­it scores, how­ev­er, don’t deter­mine if a lender will approve your cred­it appli­ca­tion. The cred­it reports that lenders get from cred­it-report­ing agen­cies do (along with your debt-to-income ratio, employ­ment and res­i­den­tial history).

The vari­ance between why your cred­it appli­ca­tion is approved and why it’s approved at a par­tic­u­lar inter­est rate is sig­nif­i­cant. FICO scores — deter­mined by your cred­it his­to­ry — exclude rel­e­vant pos­i­tive data such as home­own­er­ship, poten­tial future earn­ings and your sav­ings. Lenders, how­ev­er, do include these fac­tors when approv­ing your application.

Lenders active­ly look for low­er cred­it scores — as part of their month­ly goals, many lend­ing depart­ments have a des­ig­nat­ed per­cent­age of ​“col­or­ful” cred­it approvals they’re encour­aged to hit. Cus­tomers with low cred­it scores caused by errors such as mis­takes in stu­dent loan defer­ment, unpaid med­ical bills, tax liens or lack of cred­it his­to­ry are fre­quent­ly the most profitable.

Cred­it reports are noto­ri­ous­ly dif­fi­cult to read and even more dif­fi­cult to dis­pute. Until the Fair Cred­it Report­ing Act (FCRA) of 1970, cit­i­zens didn’t even have a legal right to see their own cred­it reports. Before then, it was lend­ing indus­try pro­to­col not to allow cus­tomers to see them.

In prac­tice, this process can still be bur­den­some for con­sumers. Lenders will often tell an appli­cant that in order to obtain a copy of their cred­it report, they need to con­tact the cred­it-report­ing agency direct­ly. Lenders will blame this bureau­crat­ic obsta­cle on the cred­it-report­ing agency, but lenders pre­fer this arrange­ment just as much as the agen­cies them­selves, because it puts appli­cants at an infor­ma­tion­al disadvantage.

Before cod­i­fied report­ing took off in the 1950s, cred­it reports were essen­tial­ly lists of bio­graph­i­cal facts that cred­it man­agers thought encap­su­lat­ed a customer’s char­ac­ter and mind­set. Age, race, gen­der, nation­al­i­ty, work expe­ri­ence, finan­cial prospects and polit­i­cal loy­al­ties were includ­ed. So were per­son­al habits like drink­ing, gam­bling and exces­sive par­ty-going. Even med­ical his­to­ry was includ­ed. If for exam­ple, a woman recent­ly suf­fered a mis­car­riage, this could indi­cate to a lender that she had recent med­ical bills and may be trau­ma­tized by the loss of her baby, thus unable to work or pay off new debts.

Cod­i­fi­ca­tion was a tech­no­crat­ic solu­tion to a real prob­lem, tak­ing per­son­al life details out of cred­it score deter­mi­na­tions. After the pas­sage of FCRA, this reform offered a bro­kered peace between the finan­cial sec­tor and con­sumers. The finan­cial sector’s cod­ing sys­tem gen­er­al­ly took into account mat­ters strict­ly finan­cial such as high cred­it card bal­ances and late pay­ments, but it was also incom­pre­hen­si­ble to the aver­age person.

Sur­veil­lance in the dig­i­tal economy

For most of the 20th cen­tu­ry, cred­it-report­ing agen­cies held a near monop­oly on pri­vate-sec­tor sur­veil­lance. When the FBI or IRS need­ed per­ni­cious details about an indi­vid­ual, they often turned to cred­it-report­ing agen­cies. But with the advent of social media and search engines that store your brows­er his­to­ry, data-col­lect­ing has branched out of the finan­cial sec­tor and into the larg­er dig­i­tal economy.

While many com­pa­nies still check cred­it reports when hir­ing new employ­ees, man­agers can now also rou­tine­ly mon­i­tor Face­book and Twit­ter pages. This has forced cred­it-report­ing agen­cies to upgrade their ser­vices from not only data stor­age but to — in the words of Equifax’s CEO in 1998 — ​“pre­dict­ing the future of port­fo­lios and indi­vid­ual consumers.”

The scope of infor­ma­tion obtained by the Equifax hack­ers like­ly won’t be known for many years. As of last week, the company’s secu­ri­ty has changed from ask­ing for the last four dig­its of cus­tomers’ social secu­ri­ty num­ber to ask­ing for the last six, so it’s safe to assume that if you were includ­ed in the breach, the last four dig­its of your social secu­ri­ty num­ber are like­ly out there.

Equifax reports that the com­pa­ny ​“has found no evi­dence of unau­tho­rized activ­i­ty on Equifax’s con­sumer or com­mer­cial cred­it report­ing data­bas­es,” but what this means exact­ly is unclear. In 2012, the New York Times uncov­ered that cred­it-report­ing agen­cies had a two-tiered sys­tem: one for high-end indi­vid­u­als and one for the rest of us.

If there’s any­thing pos­i­tive to be tak­en away from Equifax’s secu­ri­ty blun­der, it’s that it reminds us that in a shad­owy sur­veil­lance econ­o­my, we aren’t the employ­ee or the con­sumer, but the prod­uct. What’s to be done about this is up for debate — but not one we’re allowed to have any say in.

​