The breach of the credit monitoring firm Equifax, which exposed extensive personal data for 143 million people, is the worst corporate data breach to date. But, incredibly, the mistakes and the superlatives don’t end there. Three weeks since the company first publicly disclosed the situation, a steady stream of gaffes and revelations paint a picture of Equifax's deeply lacking response to catastrophe.

Equifax's bungles kicked off quite literally on day one, when the company directed potential victims to a separate domain—equifaxsecurity2017.com—instead of simply building pages to handle the breach off of its main, trusted website, equifax.com. Observers quickly found bugs, some of them serious, in that breach-response site. All the while, Equifax asked people to trust the security of the site, and to submit the last six digits of their Social Security number as a way of checking whether their information had been potentially compromised in the breach.

The site also seemed slapdash, even though Equifax says it learned about the mega-breach at the end of July, and took roughly six weeks to disclose it. During that time, the company could have conceivably planned and executed a much more robust and reassuring resource for wary consumers.

"There should have been a very comprehensive set of policies and procedures for what to do to respond," says Jonathan Bernstein, the president of Bernstein Crisis Management, which works on institutional response to all sorts of disasters including data breaches. "It’s going to be more difficult to convince people that they can now safeguard data, because Equifax has undermined their credibility from the way they’ve responded. They made the situation worse."

Further revelations this week indicate that even more basic problems plagued Equifax's handling of its response website. In the weeks since Equifax disclosed the breach, the company's official Twitter account has mistakenly tweeted a phishing link four times, instead of the company's actual breach response page. Lucky for Equifax, the page isn't actually malicious. Developer Nick Sweeting set up securityequifax2017.com—versus the legitimate equifaxsecurity2017.com—to show how easy the site is to spoof, and how ill-advised it was for Equifax to break it away from its main corporate domain. But if it hadn't been a proof-of-conept, the phish Equifax inadvertently promoted could have done a lot of harm. Sweeting says the fake site has had roughly 200,000 page loads.

"When your social media profile is tweeting out a phishing link, that's bad news bears," says Michael Borohovski, the cofounder of the website security firm Tinfoil Security.

Equifax also confirmed this week that it had suffered another, previously disclosed network breach in March, though the company did not provide details on what data, if any, was affected. Complicating things even more, a document from Mandiant (the firm investigating Equifax's more recent incident) obtained by the Wall Street Journal indicates that there was an additional March invasion, likely pulled off by the same attackers who carried out the mega-breach between mid-May and July. The technical details are still murky, but the incidents in March raise new questions about whether Equifax executives who sold almost $2 million in company stock in early August were aware of the breach when they unloaded the assets. Equifax has said that they "had no knowledge that an intrusion had occurred at the time they sold their shares."

The accumulation of missteps, slow disclosure, and problematic public response with so many millions of innocent consumers potentially affected deeply troubles security practitioners. "These are all indicators of a company that had a horrible security culture," says Tinfoil Security's Borohovski. "Unfortunately, the only word for it is negligence."