Report on Equifax Breach Charts Communications Flaws
The House Oversight Committee on Monday issued a report on last year’s giant Equifax data breach. While the document mostly focuses on technical mistakes the credit-scoring company made, it does include a useful section on its public response to the crisis. It especially focuses on the dedicated website and call center, both of which, if you remember, were a bit of a disaster.
When Equifax disclosed the problem on Sept. 7, 2017, we criticized its lackluster communications, especially because it had six weeks to plan. Now we know from the Dec. 10 report that the company didn’t really focus on public outreach — which it dubbed Project Sparta — until about three weeks before. That was when it confirmed a huge of amount of data was compromised.
Dedicated websites are common — and useful — in crises. Equifax’s was for people to find out if they were affected by the breach and, if so, to sign up for credit-monitoring and identity-theft services. The call center was to answer consumer questions and provide guidance.
The execution of both avenues was flawed, as was apparent with the announcement. “The company soon found its website and call centers overwhelmed by individuals seeking information in the wake of the breach,” the congressional report states. “Before the end of September, Equifax’s CIO, CSO, and CEO retired from the company.”
About 50 to 60 IT professionals were dedicated to the website, according to the report, but they weren’t fully informed about what they were doing and in fact were told the site was for an Equifax customer. The mission was to — in three weeks — set up a website capable of handling intake from up to 143 million people, the original estimate of how many were affected by the breach. “Documents show Equifax undertook a significant effort to design and prepare this external website,” according to the committee.
Yet, the report repeats criticisms we heard previously from cybersecurity experts. For one thing, instead of linking the dedicated site to its Equifax.com domain (a crisis communications best practice), the company set up a separate address, equifaxsecurity2017.com. This confused people, especially because it was a long and suspicious-looking URL.
In fact, for two weeks Equifax’s Twitter account directed people to the wrong place because employees had inverted the two words (securityequifax2017.com) and the wrong place turned out to be a “phishing” site set up by a researcher trying to point out flaws in Equifax’s response. On top of that, the actual site provided misinformation.
The call center presented an interesting challenge in that Equifax is largely a business-to-business company and wasn’t prepared for the consumer tsunami that would hit it once it divulged the massive data breach.
The company had about a week to bring on board 1,500 new call-center representatives (it had about 500 before the deluge). The center was overwhelmed and some callers never got to talk to a rep. “Call centers were understaffed and the representatives were untrained,” the report says. The company should have ramped up the call center earlier, Graeme Payne, Equifax’s former Senior Vice President and CIO for Global Corporate Platforms, told investigators.
The report mentions, disparagingly, that Payne was fired the day before then-CEO Richard Smith (pictured) was to testify before Congress — fired allegedly for not forwarding an email about a security patch. While it’s good to take action in a crisis, the congressional investigators weren’t buying this one: “This type of public relations–motivated maneuver seems gratuitous against the backdrop of all the facts,” the report says.
As noted by TechCrunch, Equifax’s response to the report has been defensive. It said it wasn’t given proper time to review it and that it “identified significant inaccuracies and disagree[s] with many of the factual findings.”
Image Credit: Equifax
This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at firstname.lastname@example.org.