Timeline of a crisis: How Equifax botched its breach

The company ignored a cybersecurity risk that endangered the personal information of millions of U.S. residents.

 Former Equifax CEO Richard Smith. Image source: Getty
Former Equifax CEO Richard Smith. Image source: Getty

September 7

Equifax discloses a cyber breach that could’ve compromised 143 million consumers’ sensitive info, including Social Security numbers. The hackers had access mid-May through July 2017.

The company creates a site for consumers to check if they were affected and sign up for TrustID Premier, a credit file monitoring and ID theft protection service.

Bloomberg reports three Equifax execs sold shares worth $1.8 million before the breach’s disclosure. 

September 8

TrustID’s terms of use are criticized for forcing users to waive their right to join a class action lawsuit.

New York Attorney General Eric Schneiderman demands removal of the language and later launches an investigation. 

September 11

Cybercrime journalist Brian Krebs reports Edelman made Equifax’s "completely broken website." 

September 14

PRWeek confirms Equifax hired a DJE Holdings subsidiary for comms support.

Equifax reveals it used Apache Struts, an open source software with a flaw hackers exploited.

The company claims it was aware of the risk and took proper measures. 

September 15

Equifax releases a statement on the incident and steps it’s taken to protect consumers. 

September 18

At least 30 class action lawsuits are filed. Bloomberg reports Equifax knew of a breach in March. 

September 26

CEO and chairman Richard Smith retires. 

October 2

Equifax says 2.5 million more people were affected than initially thought. Critics instantly blast the timing of the disclosure during the Las Vegas shooting. 

October 3

Smith testifies to the Energy and Commerce Committee. Congressmen rip into the former CEO.

Hit or Miss?

Miss: Cybersecurity incidents require discretion and attention to regulatory concerns when it comes to disclosure and comms. But Equifax’s response has confused rather than clarified.


Lesson 1: If you’re going to issue a public notice through a website, make sure it provides consistent, accurate information, that it’s not vulnerable to phishing threats, and that the thing just works. 

Lesson 2: As cybersecurity threats ramp up, comms needs to establish its value in the response process.

This plays to key crisis fundamentals: expressing contrition, demonstrating empathy, addressing concerns, and outlining goals.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in