ATLANTA: Equifax has brought on help from Edelman parent DJE Holdings to deal with the fallout from one of the largest data breaches in history.
The credit reporting agency discovered an intrusion into its systems on July 29 and disclosed the breach, which could put the personal information of 143 million Americans at risk, last week.
"As has been reported publicly, Equifax has engaged a subsidiary of DJE Holdings to support the communications response to the recently announced cybersecurity incident. Outside of that, we do not disclose specific details of agency partnerships," said Wyatt Jefferies, senior director of PR for one of Equifax’s divisions, via email.
An agency representative declined further comment on the relationship.
"As a policy, DJE Holdings and its subsidiaries do not comment on current client work," a DJE Holdings spokesperson said via email.
It wasn’t immediately clear when work on the account began or the agency’s specific duties.
Cybersecurity blogger Brian Krebs reported that "Edelman" was the first registed user on the breach-response website EquifaxSecurity2017.com. He and other technology journalists were highly critical of the site.
"[The website] is completely broken at best, and little more than a stalling tactic or sham at worst," Krebs wrote. He tweeted on Thursday that the company was working with reputation management shop McGinn and Company, which was founded by Dan McGinn, according to his LinkedIn account. McGinn also founded TMG Strategies, which was acquired by MSLGroup in 2007. MSL had been Equifax’s AOR in the mid-2000s, according to a source familiar with the business.
Companies that hire a PR agency to handle the response to a cybersecurity crisis typically do so after a forensics team determines whether a breach has occurred and if user data was exfiltrated, according to comms experts who work in the cybersecurity space. Once a breach has been established, the company generally hires lawyers to determine the legal and regulatory issues at stake. The legal team normally refers the client to a PR agency, they said.
This process usually takes place in the first 60 days after a breach, according to several experts. If 50 or more people affected by an incident involving personal health information can’t be reached through the mail, a public notice such as a website must be issued, they said.
Several class-action lawsuits have been filed against Equifax in the past week. On Thursday, the Federal Trade Commission said it is investigating the data breach, and Senate Minority Leader Charles Schumer (D-NY) likened the company to Enron, according to Reuters. Equifax’s share price has dropped more than 30% since the disclosure of the data breach.
This story was updated on September 15 to clarify the requirements for a public notice.