Equifax discloses a cyber breach that could’ve compromised 143 million consumers’ sensitive info, including Social Security numbers. The hackers had access mid-May through July 2017.
The company creates a site for consumers to check if they were affected and sign up for TrustID Premier, a credit file monitoring and ID theft protection service.
Bloomberg reports three Equifax execs sold shares worth $1.8 million before the breach’s disclosure.
New York Attorney General Eric Schneiderman demands removal of the language and later launches an investigation.
Cybercrime journalist Brian Krebs reports Edelman made Equifax’s "completely broken website."
PRWeek confirms Equifax hired a DJE Holdings subsidiary for comms support.
Equifax reveals it used Apache Struts, an open source software with a flaw hackers exploited.
The company claims it was aware of the risk and took proper measures.
Equifax releases a statement on the incident and steps it’s taken to protect consumers.
At least 30 class action lawsuits are filed. Bloomberg reports Equifax knew of a breach in March.
CEO and chairman Richard Smith retires.
Equifax says 2.5 million more people were affected than initially thought. Critics instantly blast the timing of the disclosure during the Las Vegas shooting.
Smith testifies to the Energy and Commerce Committee. Congressmen rip into the former CEO.
Hit or Miss?
Miss: Cybersecurity incidents require discretion and attention to regulatory concerns when it comes to disclosure and comms. But Equifax’s response has confused rather than clarified.
Lesson 1: If you’re going to issue a public notice through a website, make sure it provides consistent, accurate information, that it’s not vulnerable to phishing threats, and that the thing just works.
Lesson 2: As cybersecurity threats ramp up, comms needs to establish its value in the response process.
This plays to key crisis fundamentals: expressing contrition, demonstrating empathy, addressing concerns, and outlining goals.