Most organizations affected by hacks and leaks have treated the matter with great seriousness and care, understanding that their reputations were on the line. But whether intentionally or not, Equifax appears to have leaned into the new malaise, treating this massive breach with the bureaucratic apathy one might expect from a big, faceless credit-reporting agency—a company everyone must use, but no one chooses to.

The announcement of the breach, which came after hours on Thursday, offered the first sign of indifference. Media outlets, including The Atlantic, rushed to cover the matter, but details were slim. When my colleague Gillian White contacted them, Equifax offered no further comment beyond the materials they had published on an informational website. Other outlets experienced similar silence.

Those websites confused the matter more than they clarified it. The company had launched a new domain, equifaxsecurity2017.com, to communicate about the breach. That site appeared, to some users, like a phishing effort. Given the option to assuage concern, why set up a new domain that would only instill more of it? Once inside, this sensation only amplified. The site offers a tool to “determine if your personal information may have been impacted by this incident,” but accessing it requires submitting a last name and the last six digits of a social-security number. That’s a lot of data to hand over to anyone, especially an organization that has just demonstrated that it cannot be trusted with it.

Once submitted, the website either confirms no impact, or it offers an ambiguous response, inviting the supposedly impacted person to sign up for credit-monitoring services from TrustedID Premier, an Equifax subsidiary. Even that task cannot be performed immediately; the user is presented with a date on which the process can continue. The website also warns that no further notice will be provided to the user. It recommends marking your calendar. Even those who were not affected, according to Equifax’s confusing tool, are invited to sign up for TrustedID, making the whole affair feel like a grotesque marketing campaign.

In press coverage and on social media, some have speculated that submission of the personal information requires the individual to agree to Equifax terms of service that mandate arbitration in the case of dispute. If true, such an agreement would prohibit affected parties from suing Equifax, including via class-action lawsuits. But even this ambiguity seems unclear. TrustedID Premier’s terms of use do require agreeing to arbitration to use the service, but TrustedID’s services are separate from Equifax’s. The terms page itself is identical to the one that appears on TrustedID’s stand-alone website, although it was updated the day before the breach was made public, suggesting that the company buttoned up in anticipation.