“On July 29, 2017, Equifax discovered that criminals exploited a U.S. website application vulnerability to gain access to certain files. Upon discovery, we acted immediately to stop the intrusion. The company promptly engaged a leading, independent cyber security firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.” – Equifax data breach website
Crisis communication is “the provision of effective, efficient messages to relevant audiences during the course of a crisis,” according to John Allen Hendricks and Hanna S. Noor Al-Deen in Social Media and Strategic Communications.
Equifax’s crisis communication involved multiple pitfalls. One solution to the crippling data breach was to provide one year of identity monitoring. But, the original contract that consumers had to sign included a clause that waived rights to join a class action lawsuit and opted for forced arbitration. After consumer backlash the contract was clarified to mean that the clause did not apply to this breach.
Equifax also deployed a social media plan for their crisis response. The company used Twitter to respond to consumer’s questions and concerns regarding how they could protect themselves and find out more. Equifax directed social media traffic back to the website set up to handle communication for the breach http://www.equifaxsecurity2017.com.
But, at least three times, someone in the social media management team posted the wrong link to a fake site created by a third party (www.securityequifax2017.com). This is extremely troubling because the fake site mimicked the real site, which prompts consumers to put in their social security number to see if they were affected by the breach. The tweets were deleted, but the lack of attention to detail remains evident.
Not only do these actions further endanger consumers and their information, but it could portray a lax attitude toward the severity of the breach in regard to the impact on consumers.
According to research from Hendricks and Al-Deen “social media provides stakeholders with an opportunity to discuss issues that they deem salient to them in an online community by bypassing the traditional gatekeepers during a crisis.” Social media can also be used to quickly disseminate information.
Equifax was right to use social media in a crisis like this, where millions of people were effected and as a result panicked. The company was able to disseminate information quickly, and allowed for converstaions with stakeholders.
However, in the process of responding to stakeholder tweets, the employee sent out the fake link. That coupled with the controversial clause in the contract for free identity monitoring created a credibility issue.
And, according to Hendricks and Al-Deen the “message effectiveness is influenced by source credibility.” So, even though the company deployed a strategic social media strategy in response to the data breach crisis, the efforts were undermined by mistakes that hurt the credibility of their response efforts.
The biggest lesson here is that social media is an essential tool to communicating with stakeholders in a crisis situation, but the strategy must not only strategically disseminate critical information, but must also have an airtight messaging strategy. Otherwise, the return on the investment is lost along with credibility.