The hack of Equifax is a case study in how a cybersecurity incident can spiral into a brand disaster.
For those who came in late… The huge consumer credit reporting agency recently disclosed a cybersecurity breach that had occurred earlier in the year. More than 150 million customer records had been exposed, including Social Security numbers, driving licences, bank account and credit card details.
For a business whose business is to safeguard other businesses, it was a huge failure. Appropriately, senior executives have stepped down, as customers and shareholders line up to file law suits.
While it was bad enough that Equifax didn’t protect its consumers from the breach, the company’s parlous issues management response to the crisis significantly compounded the brand damage.
So, what were their mistakes…?
Slow & Secretive
It took Equifax six weeks after discovering the breach to disclose it. That’s six weeks in which people remained ignorant to the heightened risk of their data being misused, and six bonus weeks that hackers were given free rein to exploit it.
Even if the delay hadn’t created a direct customer risk, it created a public perception that Equifax was being evasive about the problem, or not taking it seriously enough.
Self interest above Consumer Interest
During the six weeks of non-disclosure about the breach, three executives sold $1.8M in Equifax shares.
Perhaps that’s just a coincidence. The Department of Justice and the SEC are investigating. Whatever their finding, the news of the sales certainly added to the company’s brand damage.
Equifax’s support to those potentially affected by the breach was somewhat tone-deaf and lacking in empathy.
First, the company sent people to a website that had… security issues! (Some browsers classified it as a phishing site and blocked it for days.) Second, to discover whether their details had been compromised, people were asked to disclose some of the very same information (ie. the last six digits of their Social Security number) that was the subject of the hack.
Equifax’s Twitter account began to connect people to a fake site. Those consumers who tried to get in touch via Equifax’s call center also reported trouble getting through.
Self Interest Above Consumer Interest
As part of its efforts to assist those affected, Equifax offered free credit reporting. However, to take advantage of this offer, the company initially required people to waive their rights to sue.
This is a gold standard example of how the best legal strategy can be the worst brand strategy.
Despite its many missteps, Equifax did eventually get a few things right in its crisis communications.
Before he fell on his sword, then-CEO Richard Smith was commendably frank in describing the incident as “the most humbling moment in our 118-year history” in an op ed in USA Today. Smith described consumers and media concerns as “legitimate”, accepted their criticism, and undertook to devote “extraordinary resources” to protect consumers better in future.
Smith’s successor, interim CEO Paulino do Rego Barros Jr, went further in taking accountability for the breach, including how it was handled.
Since then, Equifax has been improving the frequency and transparency of its communications. An incident website was created, and has been updated regularly.
Assessing Equifax’s response recently in Ad Week, Bill Bourdon, president of Bateman Group, said “By failing to empathize with customers and taking three weeks to properly apologize, Equifax undermined its appearance of concern and lost consumer trust.”