Data breaches happen more and more, and the crisis response can ease fears—or turn the situation into a PR nightmare.
Such is the case with Equifax, one of the three largest credit bureaus in the United States.
On Thursday, the company announced that a data breach might have affected 143 million people—nearly two-thirds of the U.S.’s adult population. Hackers also accessed data for residents of Canada and the United Kingdom.
Though Equifax announced the news on Thursday, the company first learned of its data breach more than a month earlier, on July 29. In its press release, it wrote:
Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed. In addition to this site, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. We have found no evidence of unauthorized access to Equifax’s core consumer or commercial credit reporting databases.
It also tweeted the news with a link to its press release:
We recently discovered a cybersecurity incident involving consumer information. Once discovered, we acted immediately to stop the intrusion.
— Equifax Inc. (@Equifax) September 7, 2017
(2/2) We apologize to our consumers and business customers for the concern and frustration this causes. Learn more: https://t.co/ivVHFb2xA4.
— Equifax Inc. (@Equifax) September 7, 2017
At first glance, the press release seems like a textbook example of well-handled crisis communications. The release is segmented into parts, and the company outlines what happened, what consumer information is at risk, its plans to fix the crisis and information for consumers to prevent identity theft.
The press release is also part of a website that includes the consumer notice along with FAQs, a link to check whether you’ve been affected by the breach, links to enroll in Equifax’s complimentary identity theft protection service and contact information.
Many news outlets are reporting that its crisis response raises as many questions as it answers.
In revealing this 21st century catastrophe, the credit reporting service set up a website so users could quickly assess if their information had been made vulnerable. Users, however, were asked to enter the kind of information they’re often warned not to reveal online, in this case a combination of their last name and the last six digits of their Social Security number. The request was met with skepticism, as many already shaken consumers felt unsafe giving up crucial identity data to a company that just admitted being penetrated. A malfunctioning “captcha,” a program used to distinguish humans from bots, added irony to insult.
Equifax’s FAQ page is unhelpful. The main question one likely has at this moment is “has my data been compromised?” The answer to that question remains elusive. Equifax’s custom site for the hack reads “at the beginning of this process, you will find out whether your personal information may have been impacted by this incident,” which does not appear to be true. You’re given a date to come back to Equifax’s website, but you’re not definitively told whether or not your data was affected.
Matsakis also reported that Equifax’s multiple URLs have confused consumers, making many suspicious of phishing attempts:
To make matters worse, there appears to be three different Equifax websites where you can find information about the hack. There’s trustedidpremier.com/eligibility/, where you can receive a date to find out whether you’ve been hacked and enroll in identity theft protection, called TrustedID Premier, there’s Equifax’s official website, Equifax.com, as well as a custom domain EquifaxSecurity2017.com, that was created to inform the public about the hack. The different URLs alone are enough to confuse; after news of the hack broke, multiple VICE employees approached Motherboard employees, asking if this was a phishing attempt designed to steal their data, because of the various URLs involved.
Equifax’s customer service line doesn’t seem to be handling calls well, either.
“One of our writers even went as far as to call Equifax three times to find out if any of her information was leaked. After waiting each time, every call ended in a disconnect,” TechCrunch reported.
Other journalists have reported that after reaching out to Equifax for comments and answers, they were redirected back to the press release and website.
Company officials’ statements offer little comfort.
Equifax chief executive Richard Smith said the incident was “disappointing” and “one that strikes at the heart of who we are and what we do”.
“I apologise to consumers and our business customers for the concern and frustration this causes,” said Richard Smith, Equifax chairman and chief executive.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
However, the confusion and missteps in customer service don’t reflect Smith’s words.
The financial hit
MarketWatch reported that Equifax’s shares dropped more than 13 percent in after-hours trading.
To add to the company’s image problems, Bloomberg reported that three senior executives sold shares that totaled nearly $1.8 million within days after the company discovered the security breach.
The transactions in question were initiated by Chief Financial Officer and Corporate VP John Gamble, who sold $946,374 worth of shares; President of U.S. Information Solutions Joseph Loughran, who dumped $584,099; and President of Workforce Solutions Rodolfo Ploder, who sold $250,458 in shares. As Bloomberg notes, these transactions were not pre-scheduled trades and they took place on August 2, three days after the company learned of the hack.
On Thursday, Equifax gave the following statement to TechCrunch:
“As announced in the press release, Equifax discovered the cybersecurity incident on Saturday, July 29. The company acted immediately to stop the intrusion.
The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.”
How would you advise Equifax to proceed with its crisis response, PR Daily readers?