A hack at Equifax exposed the data of 147 million people. Here’s what businesses can learn from the company’s response

Eamon Barrett
Elijah Nouvelage—Bloomberg/Getty Images

In 2017, consumer credit rating giant Equifax suffered one of the country's largest data breaches, exposing the personal information of 147 million U.S. citizens, or roughly 40% of the population, to hackers.

The breach led to a record settlement with the FTC, a dramatic downgrade in Equifax’s own credit rating, and close to $3 billion in expenses for the company as it restructured both its C-suite and data practices, including dishing out $1.4 billion in settlement payments.

Yet six years later, Equifax is still going strong. Its stock price has soared 34% above where it was just before the breach, and the company raked in $5.12 billion in revenues last year, suggesting the agency was able to place the scandal behind it. But analysts say there are still many lessons businesses can learn from Equifax’s mishandling of the situation in regaining consumer confidence.

“What other businesses can learn from Equifax’s response is if you choose to reach with truth as transparency publicly from the first moment you were alerted to the issue, you can better control the narrative. Don’t let others write your business history for you,” Ronn Torossian, founder and chairman of 5W Public Relations, previously told Forbes.

Equifax, which didn’t respond to Fortune’s request for comment on this article, was slow off its mark to respond to the crisis, waiting six weeks after discovering the breach to alert consumers. In that time, multiple senior executives sold off a total of $2 million worth of company stock.

Equifax said the three most senior executives, including the CFO, who sold their shares days after the breach was discovered, hadn’t been made aware of the breach at that time. Two other lower-ranking managers, who sold shares roughly a month after the breach, were later found guilty of insider trading.

When Equifax finally did tell the public about the breach, it fumbled again. The company created a new website—equifaxsecurity2017.com—where customers could check whether they had been a victim of the leak. However, the site’s security protocols, Ars Technica reported that same year, were subpar, which exposed customers to another potential security threat.

In another major slipup, Equifax’s public relations team directed users to the wrong site multiple times, instructing concerned customers to check securityequifax2017.com instead. The domain holder of securityequifax2017.com had acquired the URL to make a point of Equifax’s lax security standards. The phony site received 200,000 hits before the domain holder took it down.

Meanwhile, language on the actual crisis site implied that customers waived their right to sue by checking if they had been impacted, although that language was changed after media flagged the practice.

“It is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company’s breach put their personal information at risk. Equifax could remove this clause so that consumers can receive this service without condition,” a statement from the Consumer Financial Protection Bureau chided at the time.

Today, companies aren’t legally able to sit on data leaks for as long as Equifax did in its 2017 case. The Securities and Exchange Commission passed a regulation this July that requires companies to declare data breaches to shareholders, consumers, and regulators within four days of discovery.

The rule also requires companies to be proactive in mitigating cybersecurity risks, demanding companies “describe their processes…for assessing, identifying, and managing material risks from cybersecurity threats.” That’s another area where, in 2017, Equifax was caught lacking.

With more companies hoovering up greater volumes of data now than six years before, data leaks are almost inevitable, so having a game plan ready for that is essential to maintaining consumer trust.

“Buckle up,” Equifax chief information security officer Jamil Farschi told industry news site SC Media in April. “The regulators are upset, and they’ve seen where this is going. This is a different game. We all have to step up.”

Eamon Barrett
eamon.barrett@fortune.com

This story was originally featured on Fortune.com

More from Fortune:
5 side hustles where you may earn over $20,000 per year—all while working from home
Looking to make extra cash? This CD has a 5.15% APY right now
Buying a house? Here's how much to save
This is how much money you need to earn annually to comfortably buy a $600,000 home

Advertisement