A year after hackers broke into Equifax’s network and stole the personal information of 148 million Americans, a report by a consumer watchdog group is lambasting the credit reporting agency for not addressing its vulnerabilities earlier and for botching its response to the unprecedented breach.

Moreover, the report — issued Thursday by the U.S. Public Interest Research Group and the National Consumer Law Center — criticized lawmakers and regulators for not holding the Atlanta-based company accountable for its failures.

“Equifax has yet to pay a price or provide consumers with the information and tools they need to adequately protect themselves,” said Mike Litt, consumer campaign director for the U.S. Public Interest Research Group.

Equifax officials, however, are touting their efforts to shore up data defense and say the agency is offering more ways for consumers to protect themselves, with free credit freezes and locks that seal credit reports and prevent thieves from opening lines of credit in a consumer’s name and notifications when credit lines are established.

“In the past year, we have undertaken a host of security, operational and technological improvements,” a written statement from the company said. “In fact, in 2018 alone, we will increase our investment in security and technology by more than $200 million.”

Critics say those efforts are overdue.

It was a year ago Friday that Equifax announced a massive breach of the data it held. The cause was “Equifax’s carelessness,” Litt said. “This may not have been the biggest breach ever, but it’s the worst.”

That exposure — unprecedented in scope and magnitude — gave thieves the chance to steal millions of identities and possibly lure consumers into costly scams.

Still, the report says, the sins of Equifax started long before the breach was announced. “Had Equifax not been so careless, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known security vulnerability,” it asserts.

Even after realizing the data had been accessed, the company was slow to let the public know of the hacking, the report says.

Then, to make matters worse, the company botched its response, the report says, by setting up flawed assistance online, understaffing its call center and, at first, compelling aggrieved consumers to sign away their right to sue.

Equifax this week declined an interview, issuing a written statement instead. The company did not respond specifically to the report, but said protecting data is its “top priority.”

“We recognize that cybersecurity impacts not just us, but the entire industry. We are committed to collaborating with our peers, customers and partners to find solutions for emerging security challenges, create collective perspectives, document best practices and work together to deliver solutions that benefit the security community and ultimately consumers,” it said.

Meanwhile, the company has been hit with a class-action suit. And in the wake of the hack, the company named new executives to manage security and technology, as well as a new chief executive to replace Richard Smith.

Despite the public vitriol and the money spent on better processes, the data world is not that different now, said Humayun Zafar, a professor at Kennesaw State’s Center for Information Security Education.

“What I’ve not seen from Equifax is a marked change in their cybersecurity culture, post breach,” he said. “Without a shift in culture, a lot more breaches will continue to occur.”

It’s not all the fault of Equifax — consumers need more education, he said. “I think, from a consumer perspective, not much has changed. A majority of the general public may not understand what information of theirs is in the public domain and needs to be protected to begin with.”