Equifax’s crisis communications strategy dealing with its security hack has been an epic fail. And the credit reporting giant continues to make the situation worse. Each day it seems that something new comes out that Equifax did not reveal when the story first broke or of a mistake the credit reporting giant has made in its crisis communications response.
The latest revelation was Equifax had to apologize for linking people via social media to a fake online site that mimicked the link on its site for its massive Sept. 7th security breach. People who clicked on the link got this headline – “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”. Add to this abrupt resignation of the Equifax CEO and his exit compensation. This comes as Equifax is still reeling from the damage done to its reputation from the security breach.
The original story of the security hack at Equifax is well known. The breach lasted from mid-May through July of this year with hackers obtaining the personal information of 143 million people. This information included people’s names, Social Security numbers, birth dates, addresses and, driver’s license numbers. Compounding the problems for Equifax three officers of the company sold stock shares worth a combined $1.8 million just before the breach was detected.
Successful crisis communications requires:
1. Being proactive. In this Equifax failed as they waited 6 weeks before revealing the hack. This delay has raised questions of why did they wait and raised suspicions of a cover up. This was worsened by the revelation that company officers had sold stock just prior to the detection. Had the company got out in front of the story, particularly during the slow news period of August, it would have earned kudos for being honest and would have drawn less coverage than it is now when reporters and the public are back from vacation. Had they done so, they would have been able to control much of the narrative. That is why being proactive in crisis communications is essential. Now rather than controlling the story, they are caught playing defense daily which leads to the second point needed for successful crisis management.
2. When a crisis hits, it is essential to be transparent in communicating to the public, policymakers, vendors, employees, and the media. Again, Equifax failed. The full story has been coming out slowly with each day a new revelation. Last week it was that Equifax did not implement a security patch in March that could have prevented the hack. This week it was linking people to a fake online site that mimicked the link for its site on its massive Sept. 7th security breach via social media. Who knows what it will be next week. Transparency requires getting everything out at once – the good and the bad. Rather bits and pieces have been coming out each day since the initial revelation. This is a failure of crisis communications 101. The failure to get everything out at one time in an open manner is making Equifax look like the gang that can’t shoot straight and is leading to increased suspicion that the company is hiding something. All of which could have been and should have been avoided by a strong, detailed, and transparent announcement about the breach initially.
3. During a crisis, it is critical to show empathy towards those who have been affected. Equifax has done the opposite. Rather than getting its CEO out as the face of the company who could express empathy and apologize for what has happened, the company has hidden behind press releases. Its offerings to help victims have fallen far short and appear in the fine print designed to avoid litigation. The company and its employees have been tone deaf. This goes all the way to employees in the company’s call centers who have been reported to be rude and flippant to consumers.
4. Social media. Social media drives narratives. A brand’s social media message must reflect what it is communicating in the traditional media during a crisis. Consumers and reporters check social media for current trends and news. It is a way brands and leaders communicate (just ask Donald Trump). Equifax seems to have overlooked this fact. When the scandal first broke, its social media seemed to be ignoring the story, immortalized by its infamous tweet the day the scandal hit of “Happy Friday”. Now it has been caught using social media linking to a bogus website which fortunately for consumers (and the company) wasn’t a hackers site.
5. No solution. The final aspect of successful crisis communications is a solution on how an issue will never happen again. In this too, Equifax has failed.
So, what should the company do now?
1. Get all the information out immediately. No more slow drip. If anything else is there that might be damaging to Equifax, the company must get out it in the open. The worse thing that could happen is for a reporter to find something that the company has not already acknowledged. It cannot keep taking the hits it has sustained by not revealing everything much longer before irreparable damage is done.
2. Have the interim CEO become the face of the company. offer a sincere apology and address all stakeholders – consumers, vendors, policymakers, stockholders, and employees. This means taking responsibility and speaking publicly through interviews and social media. Mary Barra of General Motors offers a perfect example of how this was done correctly.
3. Find a new permanent CEO who has a record of integrity, is well recognized by the public and policyholders who will symbolize a break with the past.
4. Offer a solution on moving forward.
Equifax has failed crisis management 101 and is will be served as a textbook example of how not to handle crisis management. Until it takes corrective measures the company will continue to suffer and offer an example of what not to do during a crisis.