Perfection Is the Enemy of the Good: Early Lessons From the Equifax Breach

shutterstock_405302020
By Anna Keeve, PR Manager, ESET N. America
Anna Keeve, PR Manager, ESET N. America

Even for communicators outside of the cybersecurity sector, the week when Equifax announced it suffered a major data breach that exposed millions of people’s data was painful to experience.

As a PR pro in the cybersecurity sector, it was doubly frustrating and fascinating.

We all know one of the best ways to learn what not to do during a crisis situation is to observe when brands—hopefully not your own—stumble and commit errors. Unfortunately for Equifax and the millions whose data was exposed, the crisis makes for an interesting case study.

What Happened?

In short, here is a crude timeline:

  •  Cybercriminals infiltrated Equifax’s system in May 2017.
  •  Equifax discovered bad guys in the network in July 2017.
  •  Equifax announced September 7 that cybercriminals who breached its network took 143 million Social Security numbers and other information, including data from 400,000 Britons and some Canadians.

And then…basically everyone started to panic. The media had a field day. Not even one week after the breach announcement, 20 class-action lawsuits had been filed across multiple states. The company faces congressional hearings, and the FTC even commented publicly—it typically is silent in these matters—that it is investigating the breach and Equifax’s handling of it.

Equifax had a lot of time to get a number of things right. It had almost six weeks to prepare all its communications. In the world of data breach public communication timelines, that is long. Remember when Anthem was breached? It came out within one week with a hotline, statements, a landing page, etc.

Speed, Accuracy and Detail

In handling situations like this, you have to weigh three factors: speed vs. accuracy vs. detail.

First and foremost is accuracy. Accuracy should not be compromised for speed; however, detail may need to be sacrificed at the expense of speed, especially if there is an imminent and present threat to the customer. Meaning, sometimes it is better to come out with what you know (and don’t know) sooner, rather than come out with everything you know later.

But, Equifax decided to wait, and attempted to prep a seemingly helpful microsite that contained a number of different resources, including a page to enter the last six digits of one’s social security number to see if you were impacted, and to see a video message from the CEO.

Where Did Things Go Wrong?

1. The website that Equifax was directing consumers to visit contained security holes: Yes, this happened. There’s little communicators can do to help in this situation, of course. It is important, however, for communicators to poke holes in the plan while communication methods are being considered and developed, and anticipate the worst that could happen

Soon after the site launched, consumers on social media, security experts (and thus traditional media) were quick to point out the shortcomings and security flaws in the website.

If your brand is creating a website where you are asking victims to go to obtain information and enter information to see if your breach has touched them, make sure it is secure.

2. Initially Equifax’s position of requiring affected customers to submit to arbitration also drew a backlash: People were so enraged, the House and Senate called on the company to pull back its requirement that anyone who signs up for credit monitoring give up their right to sue Equifax in a class-action lawsuit.

As it turns out, in an attempt to help, the brand’s boilerplate legal arbitration clause ultimately wouldn’t even likely apply. This completely backfired under poor legal advice to insert some shoddy insulation, and it stumbled into a mess by trying work it in.

Again, there’s little a communicator can do to assist in a situation such as this. Still, in advance, it is important to think about public perception and reaction to things like asking someone to give up or forego rights, or other asks your company might be making.

Share Dumping

3.Shortly after the public announcement, it was revealed that days after the company initially discovered the breach in late July, three senior executives, including the company’s chief financial officer, sold Equifax shares.

Now perhaps it is unfair to blame on Equifax since it is possible it had no idea these executives were selling shares…but, note to self, check to see about this type of activity during the time of a breach and breach announcement. At the least it looks awful in the court of public opinion. At worst, it could be illegal [see below].

I am not an expert on insider trading, but perhaps have a hold on executives dumping shares before going public with a breach announcement. Communicators should at least be briefed so they can respond to media.

Equifax’s initial response was to insist the three had no knowledge of the breach when they executed the sales. Equifax also said the shares sold were a small amount of what the executives owned. When your brand potentially has exposed millions of consumers’ data, it’s probably unwise to argue that nearly $2 million in executive shares is a small amount.

As you may know, media reports September 18 have the Justice Department investigating insider trading at Equifax. Federal prosecutors are examining the nearly $1.8 million in sales of Equifax stock by CFO John Gamble; Joseph Loughran, president of the credit-reporting brand’s U.S. Information Solutions division; and Rodolfo Ploder, who runs the firm’s workforce solutions nit, Bloomberg News reported, citing anonymous sources. Shares were trading in the 140s in August; they’re hovering in the 90s now.

4. Equifax withheld information about the root cause of the breach—perhaps hoping to avoid looking negligent—until public pressure and speculation mounted. So finally on Sept. 13, Equifax came out and offered details on how its breach occurred. Up until then it had made vague statements, saying the breach was due to the compromise of a “U.S. web application.”

It is clear that the company wanted to avoid providing much detail beyond that, and made a conscious decision to avoid publicly disclosing the name of the web application. Then, on the heels of an independent security report that named the web application, a potential slip-up from an Equifax spokesperson and lots of speculation, Equifax came to reveal the details…and it did not look good for the brand.

While the breach was due to a vulnerability (a term covered in a previous article on these pages—see PRN, June 5, 2017) in a third-party vendor’s application, it was apparent Equifax failed to issue a patch to fix that security hole several months prior. If Equifax had done its due diligence and issued the patch, the breach would not have occurred, security experts say.

Customers vs. Company

In general, some basic but critically important principles during a crisis hold true:

“Instead of worrying about will happen to the company, worry about what will happen to the customers,” says Bryan Scanlon, a PR pro who specializes in cybersecurity breaches and is the founder of Look Left Marketing of San Francisco. This is critical, “especially in all your public-facing comments during the early days of a crisis. In the case of Equifax, the press and industry experts did an excellent job calling out the early website failure and protecting individuals from possibly giving up their rights.”

Normally a company will execute a playbook that checks the boxes, first and foremost on data breach notification laws. The brand then typically moves to winning back customers with clever programs that don’t revisit the breach.

But, Scanlon cautions, “Due to the flood of breaches, one of the greatest concerns is that individuals have grown tone-deaf to very serious warnings. There’s now a moral and ethical imperative for companies to continuously reach out to customers and aggressively help them navigate a serious security situation that may impact more than half of the country’s adult population.”

NOTE: This content appeared originally in PR News, September, 19, 2017. For subscription information, please visit: https://www.prnewsonline.com/about/info

CONTACT: anna.keeve@eset.com @annakeeve


Takeaways

1. Sometimes it’s important to make a breach announcement based on what you know and don’t, rather than delay.
2. Should you delay a breach announcement, make certain the corrective measures you’ve taken will work perfectly.
3. Instead of worrying only about the company, worry about the customers, too.