What did Equifax (NYSE:EFX) executives know about the cyber hack of 143 million accounts and when did they know it?
In a new bombshell reported late Wednesday, hackers may have infiltrated the system four months before the firm released the breach, according to the Wall Street Journal. A day earlier Bloomberg reported that executives were aware of the breach as early as March, yet the information was not released to the public until September.
Embattled CEO Rick Smith delivered a public mea culpa earlier this month but it has failed to stop the doomsday headlines and investor exodus. Shares have lost 33% since the disclosure.
Ultimately, this is a story of crisis response gone very, very wrong. In fact, this might be one of the worst crisis responses since BP’s (NYSE:BP) CEO said, “I want my life back” after the Gulf oil spill.
The question is, what can they do moving forward? Some would say it’s too late. I disagree.
Here is a road map Equifax could take to rebuild their damaged reputation.
- Find some emotion. Because crises are emotional, companies’ response should be too. People have been hurt and are rightfully afraid. But Smith’s defensive tone focuses more on what Equifax has done to “right the ship,” and less on how customers may be impacted. In fact, many of his statements sound as if Equifax is the real victim here, instead of how the breach has left millions of consumers vulnerable. Without more empathy, no apology will ever be credible.
- Be transparent. Trust cannot be rebuilt without transparency. Equifax offered a year of free credit monitoring to all U.S. citizens – but the fine print suggested that if consumers register, they would also forgo their right to legal action related to the incident. The language has since been changed (now allowing customers to opt-out, and saying the waiver related to class action lawsuits doesn’t apply to this particular breach), but the damage is done. You can’t say you are trying to make it right, while sticking it to people in the fine print. Customers have a long memory if they feel they are being cheated.
- Be vulnerable. People won’t forgive what they can’t understand. And they won’t forget when companies try to hold a crisis at arm’s length instead of addressing it head-on. Addressing it takes vulnerability. Equifax has known about this issue for months and more details are emerging that top executives had in-depth knowledge of the hack as far back as March. Still, in his initial apology video Smith is noticeably uncomfortable and vague about the timeline. He merely states that “the unauthorized access occurred between mid-May and July,” which hardly inspires confidence. What does he need to do to get that confidence back? Explain it. Lean in to it. And be ready to answer the tough questions, because people won’t stop asking them. Why did it take you so long? Why did you ask people to give their rights away to suing in the fine print?
- Don’t just look backward, look forward. That seems counter-intuitive in times of crisis. But solely playing defense in these situations does not work. And yet, that’s what most companies do during times of crisis. They hunker down. They over-lawyer and under-communicate. Or they communicate all the wrong things. Late last week the company disclosed that the chief information officer and chief security officer would leave the company “immediately.” Those executive changes are not unexpected, but scapegoats won’t help the company explain what the plan is to make the wrong – right going forward.
- Own the magnitude of the problem. This isn’t a one-and-done apology. This event will take time to fix. Smith has apologized publicly, but he’ll need to do even more and he needs to keep the public in the loop about what the company is doing to mitigate the crisis and prevent it from happening again in the future.
- Do something symbolic. If you want to make this right, take actions that make it right. Think about what Howard Schulz did when he came back to Starbucks (NASDAQ:SBUX) years ago. He didn’t just commit to making better coffee. He shut the door for two hours so that every barista could learn to brew the perfect cup. Equifax can’t just offer credit monitoring service. They have to show they won’t stop until this is made right.
- Repeat. Repeat. Repeat. If the executives at Equifax aren’t nauseous from repeating their narrative on how they are going to make this right, they won’t gain any traction, and they won’t start to change the conversation.
The bottom line: Equifax can turn things around. Will it be easy? No. But in order to do that, they need to stop focusing on setting the record on Equifax right. The time for defense is over. Instead, they need to focus on making sure that every one of those 143 million impacted consumers’ records are right.
Lee Carter is president of maslansky + partners and oversees a diverse range of communication and language strategy work for Fortune 100 and 500 companies, trade associations, and non-profits in the U.S. and globally. A communication research veteran, Lee has conducted and analyzed more than one thousand instant response dial sessions, traditional focus groups and client strategy sessions. Lee has also written and overseen hundreds of language surveys and polls in more than 15 countries.