The Equifax data breach revealed last week was one of the worse data breaches ever, and the company’s response may be one of the worst crisis management reactions ever, or at least in recent times. The Equifax reaction violated several rules of PR crisis management, further damaging its reputation.
The data breach is not the largest, but it could become the most economically damaging due to the sensitivity of the compromised information. Personal data of 143 million customers were potentially hacked (that means stolen). Reports indicate that hackers might have stolen Social Security numbers, birthdates, addresses and driver’s license numbers – exactly the information they need to steal identities. Answers to security questions may also have been exposed, which could allow hackers to change passwords.
Here are some of the crisis management rules Equifax breached:
A delayed response. Quick revelation of mishaps and their facts helps customers protect their identities and also helps protect the brand’s image. Equifax uncovered the breach on July 29 but didn’t publically announce it until last Thursday, Sept. 7.
Questionable stock sales. Three top Equifax executives sold stock three days after the company discovered the breach. The company told CNN that the executives were unaware of the breach at the time. Even if that’s true, the stock sales create an untimely issue. The company said the stocks, which total $2 million, amounted to “a small percentage” of the executives’ portfolios. Another blunder, considering most of its customers can only dream of having $2 million.
Uninformed management. Informing top management of major problems is another tenet PR crisis management. Yet its high-level executives, the company claims, were unaware of one of the largest data breaches ever.
The opaque apology. Proper crisis management calls for a sincere apology that assumes responsibility, and promises to investigate the mishap and make amends. The Equifax press release about the breach “weasels out of clarity and responsibility,” says crisis management expert Josh Bernoff. While it offers an apology, the press release bursts with corporate jargon, passive sentences and vague statements that seem designed more to protect the company from lawsuits than protect its image.
The happy Friday tweet. The day after announcement of the breach, the Equifax customer service account tweeted “Happy Friday! You’ve got Stevie ready and willing to help with your customer service needs today!” Twitter users did not appreciate the tweet’s cheerful tone. It was not a good way to show empathy to people worried they may become victims of identity theft. In the face of a crisis, all marketing and PR materials scheduled for release should be held back – or at least re-evaluated.
Flawed help for customers. The PR crisis management playbook calls for offering compensation to aggrieved parties. Equifax fell short in that regard. Following the announcement, Equifax created a website where consumers can learn if their information was compromised. All they had to do was enter part of their Social Security number. Observers pointed out the irony of firm that had lost sensitive information asking customers to provide sensitive information. Huffington Post compared it to “getting food poisoning from a restaurant and receiving a voucher for a free dinner at the same restaurant.”
Worse yet, its online tool suffered technical problems. Web browsers flagged it at a possible phishing site, probably because Equifax hosted the tool, equifaxsecurity2017.com, on a newly-created page, not on its own trusted site.
The online tool “is completely broken at best, and little more than a stalling tactic or sham at worst,” states security expert Brian Krebs. “I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived.”
Initially, new PINs assigned by the online tool were based on the date and time the customer requested service, not randomly generated numbers. Hackers could easily filch those new PINs. Equifax fixed that problem relatively quickly.
Problematic identity protection. Equifax offered to provide anyone its identity protection service, TrustedID, for free. The service has significant limits. Anyone agreeing to the terms of service foregoes their right to sue Equifax and file or join a class action lawsuit. The service can’t prevent misuse of existing accounts and doesn’t cover applications for credit screened through Equifax’s competitors, points out Fortune contributor David Z. Morris.
Plus, it’s free for only a year. Then customers will need to pay for it. “That means Equifax is essentially using its own data breach as lead generation, a distasteful move if there ever was one,” Morris writes.
Bottom Line: PR crisis management experts and other pundits roundly criticized the Equifax crisis management. Its responses fell short in numerous ways. The crisis management response may emerge as a case study of how not to handle a data breach.
Resources to help you:
How to Protect Your Information Online
The New York Times
Equifax’s Instructions Are Confusing. Here’s What to Do Now
The New York Times
Equifax, Bowing to Public Pressure, Drops Credit-Freeze Fees
The New York Times
William J. Comcowich founded and served as CEO of CyberAlert LLC, the predecessor of Glean.info. He is currently serving as Interim CEO and member of the Board of Directors. Glean.info provides customized media monitoring, measurement and analytics solutions across all types of traditional and social media.