Now that we’ve introduced the principles of crisis communications and image repair, let’s analyze the Equifax breach response. Recall the “3 C’s of Trust”:
Competence - Capable of skillfully executing one’s job
Character - Strong adherence to good values, including loyalty, duty, respect, selfless service, honor, integrity, and personal courage
Caring - Genuine concern for the well-being of others
As we will see, Equifax’s response caused stakeholders to question all three of these factors, which badly damaged Equifax’s image and exacerbated the crisis.
3.3.1 Competence Concerns
After announcing the breach on September 7, 2017, Equifax was immediately off on the wrong foot. Consumers rushed to freeze their credit, only to find that Equifax’s freeze request page was unresponsive.27
Equifax also set up a website that consumers could visit to find out whether their data was exposed, but as investigative journalist Brian Krebs reported, the site was “completely broken at best, and little more than a stalling tactic or sham at worst.”28
The site asked consumers to submit the last six digits of their SSNs in order to determine whether they were affected. Consumers who did enter their information received vague and often conflicting results. Krebs reported that “[i]n some cases, people visiting the site were told they were not affected, only to find they received a different answer when they checked the site with the same information on their mobile phones.”29 Krebs himself did not receive a yes-orno answer, but rather “a message that credit monitoring services we were eligible for were not available and to check back later in the month.” These responses were infuriating for consumers, who were anxious and frustrated that the promised corrective action was not available.
Ironically, many web browsers flagged the breach information site as a phishing attack in the first few hours after the announcement. To make matters worse, the site was riddled with security holes. “[V]ulnerabilities in the site can allow hackers to siphon off personal information of anyone who visits.”31 While building a brand-new, interactive website may have been nice in theory, Equifax’s developers—reportedly associated with the outside public relations firm Edelman—clearly did a rush job.32
“Talk about ham-handed responses. . . . This is simply unacceptable,” said U.S. Representative Greg Walden.33
Right away, Equifax appeared incompetent. This negative image was exacerbated days later, when the media discovered that Equifax’s official Twitter account had accidentally tweeted the link to a phony phishing site, securityequifax2017.com, four times during the response. “When your social media profile is tweeting out a phishing link, that’s bad news bears,” said security professional Michael Borohovski, cofounder of Tinfoil Security.34
As details of Equifax’s cybersecurity issues were exposed, it painted an increasingly ugly picture. Just days after the breach was announced, Krebs reported a ridiculous vulnerability in a portal used by Equifax Argentina employees for credit dispute management: the portal was “wide open, protected by perhaps the most easy-to-guess password combination ever: ‘admin/admin.’”35
Two days later, Equifax confirmed in a statement that the megabreach had been caused when hackers broke into a web server, exploiting a well-known vulnerability in the Apache Struts framework. The vulnerability had been announced in March 2017, and Equifax was hacked in May—meaning that the company had more than two months to patch the system but didn’t.36 Equifax announced the cause only after a research firm published an uncited report implicating the Apache Struts vulnerability, which sparked rumors.37 The day after the statement was released, the company’s chief information officer and chief security officer stepped down.
Equifax’s CEO later blamed an employee for not installing the patch and said a subsequent security scan did not detect the issue. Consumers didn’t buy the excuse, if it was one.
Senator Elizabeth Warren tweeted: “It’s outrageous that Equifax—a company whose one job is to collect consumer information—failed to safeguard data for 143M Americans.”38
3.3.2 Character Flaws
The integrity of Equifax, as a corporation, as well as its leadership team, was called into question immediately due to the length of time taken before notifying. “Equifax waited six weeks to disclose the breach,” wrote reporter Michael Hiltzik in the Los Angeles Times the day following the company’s announcement. “That’s six weeks that consumers could have been victimized without their knowledge and therefore left without the ability to take countermeasures. Equifax hasn’t explained the delay.”39 It wasn’t just the public that was kept in the dark; CEO Smith also waited 20 days to inform the company’s board, despite the massive scale of the breach.40
The delay triggered deep suspicion. “New York Attorney General Eric Schneiderman wants to know when the company learned about the breach and how exactly it happened,” Bloomberg reported. Questions of integrity grew when it became known that three senior Equifax executives had sold shares in the company worth nearly $2 million in the days following the breach discovery.
In the aftermath of the breach announcement, Equifax’s call centers couldn’t come close to handling the flood of phone calls. Consumers were infuriated. The lack of two-way communication contributed to a growing sense that Equifax did not actually care about the consumer.
Later, in his congressional testimony, former CEO Smith apologized:43
We were disappointed with the rollout of our website and call centers, which in many cases added to the frustration of American consumers. The scale of this hack was enormous and we struggled with the initial effort to meet the challenges that effective remediation posed. The company dramatically increased the number of customer service representatives at the call centers and the website has been improved to handle the large number of visitors. Still, the rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many.
Smith closely integrated his personal image with Equifax’s breach response. On the same day as the breach announcement, Equifax released a video featuring Smith—presumably in an attempt to humanize the company. It didn’t do them any favors. Smith essentially read the company’s statement out loud with a wooden expression, looking like a deer in headlights. Although Equifax wisely included an explicit apology in the message, it was buried halfway through the video, and the words were not enough to overcome Smith’s strained, unemotional demeanor.44
The Equifax breach quickly exploded into a “dumpster fire” (as Krebs put it). Smith was forced to resign after a 12-year tenure, just weeks after the breach was announced.
Equifax’s communications following its breach left stakeholders with the following impressions:
Incompetent - Smith did not oversee Equifax’s cybersecurity program effectively, as evidenced by the breach and gross fumbles with technology in the company’s response.
Lack of Character - Equifax’s delayed notification, along with rumors of an executive stock dump during the breach investigation, caused the public to question the integrity of the company and its leadership.
Uncaring - Smith’s wooden performance in Equifax’s public relations video, combined with the call center frustrations, left the strong impression that Equifax did not care about consumers.
As a result, the breach badly damaged Equifax’s image and destroyed trust that key stakeholders had in the company’s leadership.
Throughout the acute phases of the crisis, Equifax’s stock value clearly changed based on the company’s communications. Stock prices fell from $142.72 on the day of the announcement to a low of $92.98 a week later on September 15, 2017, as shown in Figure 3-2. Things started to pick up with the resignation of the CIO and CSO; clearly shareholders began to rebuild confidence with a change of management. With Smith’s resignation, Equifax’s stock rose yet again. By the end of the year, share prices were still down, but slowly recovering.
3.3.5 Crisis Communications Tips
There are many lessons to be learned from the Equifax breach, but perhaps none are so well illustrated and so poignant as those relating to crisis communications. In today’s day and age, many CEOs—too many—will find themselves in much the same position as Smith.
In those first few hours, days, and weeks, keep in mind the following priorities:
Maintain Trust with Your Stakeholders. Remember the 3 C’s: Competence, Character, and Caring.
Tell It Early, Tell It Yourself. Maintain a congenial relationship with the media. By providing a quote when contacted by the press, you send the message that you are not trying to hide.
Tell the Truth. If you tell the truth, you won’t have to suffer the consequences of a scandalous lie.
Make It a “One-Day” Story. Few data breach stories are ever really one day, but get as close as you can by consolidating announcements and responding to the press as quickly as possible. Don’t give journalists incentive to “dig.”
Take Responsibility. This is the foundation for rebuilding trust.
Apologize Clearly and Quickly. A sincere apology diffuses anger and shows respect for your stakeholders.
Listen! Prepare your staff to listen to stakeholders. For example, you might consider opening a call center in response to the breach, so that members of the public can quickly speak with a real human. Likewise, shareholders, regulators, and other stakeholders need a point of contact who can listen to their concerns and diffuse strong emotions.
Make Sure Your Tools Work. Too often, when a breach occurs, breached companies offer services to the public, such as a hotline or credit monitoring, but the technology or processes to support them are broken or not immediately available. This further inflames sentiments.
Make Amends. Use image repair tactics such as compensation or corrective action to restore your organization’s image.