Crisis Mismanagement, Not Data Breach, Puts Equifax in Peril

By Gene Grabowski

Something we at kglobal always tell our clients is that you never “win” when it comes to Crisis Communications. The best you can hope for is to manage a crisis skillfully enough so that employees, regulators, the news media and consumers judge you to be trustworthy.

After all, if you’re in business in the 21st Century, you will inevitably know crisis. That’s forgivable. Simply put, if you manage your crisis well, you will recover. Conduct yourself poorly, and the consequences will be painful – and expensive.

How then, to measure the performance of Equifax as it manages the news that some 143 million U.S. consumers – more than a quarter of the U.S. population – could be affected by a cyberattack from criminal hackers? So far, the missteps of the Atlanta-based consumer credit-rating agency are obvious and serve as a lesson in Crisis Communications.

First, immediately following the announcement of the breach, the company created a special website with information about the issue and an offer of free credit-monitoring services to all U.S. consumers for a year. Not a terrible step, but it raises the question of why Equifax would invite people burned by the company’s cyber breach to continue to trust its confidential services.

The company compounded the problem by requiring people who sign up for the free service to provide their name and last six digits of their Social Security number. That’s just the kind of information Equifax has warned consumers against providing online. Moreover, security experts noted that the action strongly implies that the typical four-digit Social Security information may have been compromised in the breach and that Equifax now needs previously secret information to positively identify customers.

Understandably, social media exploded with complaints about the company.

Not Equifax's finest hour, users noted. After following directions on the website and receiving a message asking for private information and no answers as to who is affected by the breach, one consumer Tweeted: "Great customer service: put all burden on me."

As if all that wasn’t enough, news reporters soon exposed the fact that when consumers register on the website to learn whether they have been victimized by the hack, they automatically waive their right to sue Equifax. That’s what happens when lawyers override your communications strategy.

On the plus side, Equifax shared a two-minute, 37-second online video featuring Chairman and CEO Rick Smith, who apologized for the data breach and outlined corrective steps the company had taken. Overall, the video was timely and well-produced. But it’s a bit long at more than two minutes running time – feature-movie length in the online world. Also, Smith obviously reads from a teleprompter, which sometimes makes his cadence shaky and undermines the sincerity of his message.

Finally, Equifax’s answer to questions about why the company waited until September 7 to inform the public when it discovered the data breach on July 29, justifiably raised suspicion. Here’s what the company said:

As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.  Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.

Too long. Too complicated. Too obviously contrived. Especially when combined with the news that three top Equifax executives, including two who oversee information security, sold company stock valued at $1.8 million days after the data breach was discovered.

It’s no wonder Equifax stock dropped like a stone after the announcement of the cyberattack. The only question now is, how will the company manage its crisis going forward? Its initial efforts don’t inspire confidence.

If you’re looking for someone with over 25 years of crisis communications + issues management experience who can help you build and protect your reputation, contact Gene directly.


Gene is a Partner at kglobal. He is focused on creating and managing successful campaigns for corporations, trade associations, non-profits and universities. Gene was named Crisis Manager of the Year for his effective work on numerous high-stakes issues and speaks frequently on strategic crisis management. He writes about trends in issues management and public relations. You can follow him on Twitter @crisisguru, read his tips on the kglobal blog or e-mail him.