The Better Business Bureau’s reason for being is to protect unsuspecting consumers from harm by businesses, and yet it maintains its “A” rating for Equifax, a business that may have done more harm to consumers than any other in recent history.

The world learned on September 7 that Equifax had been the victim of a hack that exposed data on 143 million people to theft. Many, many people had no idea that Equifax even held their data, because the company vacuums up data from banks, credit card companies, and retailers. And the exposed data was notable for being unusually rich.

In fact, the BBB’s own Howard Schwartz described the event to the Danbury (Conn.) Daily Voice as “startling” in scope. “This information includes the basic building blocks of identity theft, such as consumers’ names, addresses and Social Security numbers,” he said.

While Equifax has made a business of greedily hording the information that punishes consumers who have imperfect credit, it has so far gone relatively unpunished for a security posture that left mountains of data exposed to hackers.

So what gives? According to the BBB, until it is proven that Equifax was at fault in the hack, its “A” rating will stand.

“At this point it hasn’t been shown that there’s been any malfeasance by the company,” says spokeswoman Katherine Hutt. “So at this point they are a victim in the same way the consumers are a victim until the investigation is complete or until there’s a government action.”

Actually, many security experts have already weighed in to say that such a massive breach was preventable. Equifax blamed a flaw in the Apache Struts Web Framework–a bug that was revealed in March. This suggests Equifax had time to fix the problem before the main part of the breach occurred in May.