Hackers breached one of the most lucrative targets for fraudsters and identity-theft rings, but it took weeks to find out about it. Equifax announced yesterday that up to 143 million people had vital financial data exposed, including Social Security numbers and credit-card data. The credit tracking company learned about the hack on July 29th, giving the criminals a six-week window before consumers could take steps to protect themselves, and they haven’t gotten the response ready even with that lead time:

The 143 million Americans whose data was impacted by Equifax’s massive data breach may not be feeling reassured by the company’s response.

Equifax is offering a free credit monitoring service for the 143 million Americans whose data was impacted by their breach. Unfortunately, Equifax is also telling customers they must wait several days to enroll for the service.  …

As many consumers suspect, hackers don’t wait around for them to sign up for credit-monitoring before using their data. Hackers and criminals appear to have had the data for months — Equifax learned about the breach on July 29, but didn’t disclose the hack publicly until Thursday.

Well, not everyone had to wait around for the data to become public. Bloomberg reports that three senior Equifax executives sold off stock after the hack but before the hack was announced. Equifax claims that the executives did not know of the hack, but …

Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers.

The trio had not yet been informed of the incident, the company said late Thursday.

The credit-reporting service said earlier in a statement that it discovered the intrusion on July 29. Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.

The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”

Worth noting: Equifax stock shed 13% of their value today after the hack was announced. Don’t expect anyone to take this denial at face value, especially not the Securities and Exchange Commission, who might want some answers as to why the information was so closely held for so long, too. Even apart from the impact on consumers, investors made a lot of decisions on Equifax’s value over the last six weeks, and they deserved to know then about the risk to their investments.

Execs will have to answer for the sneaky way they’ve gone about “protecting” angry consumers, too. The terms and conditions for the “free” TrustedID Premier service they will fund includes a pledge not to participate in any class-action lawsuits, a clause that many will miss in their haste to get protection from Equifax’s failure:

The terms of use for the credit-monitoring service, which is called TrustedID Premier, also appears to require consumers sign away their right to sue Equifax. By waiving away their legal rights, consumers instead agree to mandatory arbitration, a tactic that has come under fire by consumer rights advocates as “rip-off clauses” because they bar consumers from banning together to sue in a class action.

To recap thus far: Equifax didn’t properly secure incredibly personal consumer data, didn’t tell consumers and investors for six weeks after discovering they were at risk, had three executives sell off stock while it was still a secret, and now are offering protection to the victims only if they agree not to hold Equifax responsible. Good luck with that:

A proposed class-action lawsuit was filed against Equifax Inc. late Thursday evening, shortly after the company reported that an unprecedented hack had compromised the private information of about 143 million people.

In the complaint filed in Portland, Ore., federal court, users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack. Data revealed included Social Security numbers, addresses, driver’s license data, and birth dates. Some credit card information was also put at risk. …

“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers,” the complaint stated. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”

Let’s just say that Equifax will have a lot of explaining to do to a lot of people.