Talk about your unhappy anniversary: A year ago today, Equifax disclosed that hackers stole personal information from 147.7 million Americans from its server.

On a Thursday afternoon a year ago, Equifax explained that hackers infiltrated their network and stole customer names, Social Security numbers, birth dates and addresses, affecting more than half the US population.

While plenty of breaches have been announced since the hack, few have touched a nerve like Equifax's breach. The sheer scale of affected Americans -- many of whom never signed up with the credit-monitoring service -- marked a new low at a time when hacks had grown to be an increasingly common occurrence. Even a year later, lawmakers are frustrated that the company hasn't faced any legal repercussions, even as a new team at Equifax are trying to win back the nation's trust.

Shortly after the disclosure, then-CEO Rick Smith apologized in a video. Consumers raged over social media, specifically around how broken Equifax's website was as millions of people wanted to find out if they were affected by the breach.

"Together we will serve our customers, support consumers and strengthen our data security capabilities," Smith said in a video. "In the process, we will build a stronger company, with many great days ahead."

It's been 365 days, and it's unclear when those great days will start showing up.

Inside the company, there's been major changes. Three weeks after the breach became public, Smith stepped down from the credit monitoring company. The Securities and Exchange Commission charged a former Equifax executive with insider trading after he made millions from selling shares before the public knew about the attack. Equifax also hired a new chief security officer to keep the company safe from future hacks.

But outside, the difference is hard to tell. It's still unclear who was behind the hack. Security experts also aren't aware how the stolen data has been used.

Equifax as a company hasn't faced many consequences. In January, Democratic senators proposed a law that would require credit-reporting agencies to protect the data it's amassed and pay a fine if they are hacked. The bill never went anywhere.

"One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information -- and the Trump Administration and the Republican-controlled Congress have done nothing," Sen. Elizabeth Warren, a Democrat from Massachusetts, said in a statement.

Warren isn't the only one. At a House Energy and Commerce hearing on Wednesday, where the focus was on Twitter and its CEO Jack Dorsey, Rep. Ben Lujan, a Democrat from New Mexico, pivoted his attention to Equifax.

"We've not done anything as well for the 148 million people that were impacted by Equifax," Lujan said. "I think we should use this committee's time to make a difference in the lives of the American people and live up to the commitments that this committee has made: provide protections for our consumers."

It doesn't help that much of that early rage has subsided.

"If the breach happened 10 years ago, consumers would have been shocked and demanded change – now they are more likely to be jaded and under the assumption that someone already has their personal data or has access to it," Brian Vecci, a technical evangelist at Varonis, said in an email.

A Breach Post-Mortem

On the anniversary of Equifax's major breach, lawmakers released a report (PDF) detailing exactly how the credit-monitoring company was hacked.

The report comes from the Government Accountability Office, a watchdog organization from the federal government. The GAO reviewed documents from Equifax as well as files from the company's cybersecurity consultant to figure out how the company was hacked and what credit-monitoring services should do to protect itself.

The watchdog group also discovered that Equifax turned down assistance from the Department of Homeland Security, opting instead for a private, third-party cybersecurity company to help manage its breach response.

Government Accountability Office

The attack process started on March 10 when hackers searched the web for any servers with vulnerabilities that the US-CERT warned about just two days earlier. Two months later, on May 13, they hit the jackpot with Equifax's dispute portal -- a section where people could go to argue claims from the credit-monitoring service.

There, hackers used an Apache Struts vulnerability, a months-old issue that Equifax knew about but failed to fix, and gained access to login credentials three servers. They used those login credentials from the dispute portal and found that it allowed them to access another 48 servers containing personal information.

The thieves spent 76 days within Equifax's network before they were detected. According to the report, the hackers stole the data piece by piece from 51 databases so they wouldn't raise any alarms.

Equifax didn't know about the attack until July 29, more than two months later, and cut off access to the thieves on July 30.

Since then, Equifax said that it's implemented a new management system to handle vulnerability updates and to verify that the patch has been issued.

Along with Sen. Warren, Sen. Ron Wyden, a Democrat from Oregon, a Democrat from Massachusetts, Rep. Elijah Cummings, a Democrat from Maryland, and Rep. Trey Gowdy, a Republican from South Carolina, were the four lawmakers who requested the report.

"Today's report highlights the breakdowns and failures at Equifax that led to one of the largest and most consequential data breaches in United States history," Cummings said in a statement. "Now that we know even more about what led to the Equifax breach, it is critical that we develop serious and concrete proposals to help the American people."

Same difference

Lawmakers are still waiting for some action to be taken against Equifax.

While the Bureau of Consumer Financial Protection and the Federal Trade Commission have opened investigations into Equifax's breach, neither of them have taken any actions.

Sen. Warren and Rep. Cummings said they've sent a letter to both agencies asking if they "intend to hold Equifax accountable."

Under the bill that Warren and Sen. Mark Warner, a Democrat from Virginia, are looking to pass, Equifax would have paid at least $1.5 billion in penalties for the breach. So far, the company has paid nothing in fines to the government.

But Equifax would argue it's going under a complete shift to make sure a breach like 2017's never happens again. An Equifax spokesperson said the company has spent $200 million on cybersecurity over the last year. Its new CISO, Jamil Farschchi, has had experience cleaning up messes in the past, as he was called in after Home Depot suffered its own major breach in 2014.

"In the past year, we have undertaken a host of security, operational, and technological improvements," an Equifax spokesperson said.

For affected consumers and many in Congress, those improvements haven't shown to cut it yet.

