On September 7, 2017 Equifax announced the cybersecurity incident to the public in the form of a press release. The company stated that the information that was breached included names, social security numbers, birth dates, addresses and some driver's license numbers. They revealed that they discovered the breach on July 29, 2017 and acted to immediately stop the intrusion. The company partnered with an independent cybersecurity firm to determine how many people were impacted and how much data was breached. Also, they reported the crime and are working with the authorities to determine who is behind the attack and how it happened. Equifax made the website, www.equifaxsecurity2017.com, so that customers could determine whether their information was impacted as well as signing up for free credit monitoring and identity theft protection. The chairman and CEO, Richard Smith, apologized to the consumers for the breach. He stated, "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."
The company released another press release on September 15th and stated that the Chief Information Officer and Chief Security Officer were retiring. They appointed Mark Rohrwasser and Russ Ayres to take their places. The company informed the public that they were still working with law enforcement in the ongoing investigation. They disclosed that the hackers were able to access the data through the a vulnerability in the Apache Struts and were able to access the data from May 13th until July 30th. They included all of the new changes that they put in place to support the customers that were potentially exposed. They created the website, offered free credit monitoring and identity theft protection, set up a call center and refunded the consumers who paid to put a freeze on their account on and/or after September 7, 2017.
October 2, 2017 Equifax released its final press release regarding the cybersecurity incident. They announced that the firm concluded it's investigation. The interim CEO stated that the results would be promptly released and he will personally continue to monitor the process on a daily basis. Barros apologized again to the public for the incident and stated that the company will take numerous actions and steps to improve their security.
I have decided to use the Situational Crisis Communication Theory to analyze the response that Equifax used. It is clear that the company used the "deal" response. They expressed their concern to the public, offered compensation for the incident, admitted that they are filled with regret and feel bad about the crisis, and apologized several times. I think that the company should have taken full responsibility for the incident. They did not take responsibility for not updating their software which ultimately led to the breach. The company decided to ignore the "who is to blame" factor and did not choose to comment about why it took them so long to let the public know about the breach. There seems to be a lot left unsaid about the incident from the company's side of things. I do not believe that their apology was enough to keep their current customers or attract new ones. I could see the company shutting down in the future.
References
Equifax Inc. (2017, October 2). Equifax Announces Cybersecurity Firm Has Concluded Forensic Investigation Of Cybersecurity Incident. Retrieved November 10, 2020, from https://investor.equifax.com/news-and-events/press-releases/2017/10-02-2017-213238821
Equifax Inc. (2017, September 15). Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes. Retrieved November 10, 2020, from https://investor.equifax.com/news-and-events/press-releases/2017/09-15-2017-224018832
Equifax Inc. (2017, September 26). Equifax Chairman, CEO, Richard Smith Retires; Board of Directors Appoints Current Board Member Mark Feidler Chairman; Paulino do Rego Barros, Jr. Appointed Interim CEO; Company to Initiate CEO Search. Retrieved November 10, 2020, from https://investor.equifax.com/news-and-events/press-releases/2017/09-26-2017-140531280
Equifax Inc. (2017, September 7). Equifax Announces Cybersecurity Incident Involving Consumer Information. Retrieved November 10, 2020, from https://investor.equifax.com/news-and-events/press-releases/2017/09-07-2017-213000628


Hi Wetzel,
ReplyDeleteI loved the blog post and all the information shared about Equifax’s response to the cybersecurity breach. This post caught my eye the most because the company lost personal information on nearly 147 million people. Do you think the company was able to retrieve all the personal information lost? Also, I want to know how if the company took the time to update the system and stop any additional hacks. I just find it confusing how a 22 billion dollar company managed to lose the personal information of their customers. There should be some form of practice put in place to prevent any hacking from going on within the network.
It's a consistent trend for these big corporations to be late with a statement or aren't taking responsibility for their lack of service. Besides having people's identities at jeopardy, a late statement or lack of accountability wouldn't attract or keep customers. Do you think companies should be more honest and be held accountable for their actions even if that means a plethora careers could be ended?
ReplyDelete