Credit-reporting company Equifax Inc. is in boatloads of trouble following its recent disclosure that hackers accessed its system and potentially stole the personal financial information of 143 million Americans.
And while consumers, financial firms and regulators continue to assess the extent of the damage, I’m here to call out the company’s lackluster handling of the situation as a lesson for all business and talent leaders.
On Sept. 7, 2017, Equifax first informed the public that hackers had gained access to its system, potentially compromising the personal information — names, social security numbers and addresses — of some 143 million Americans, or almost half of the entire U.S. adult population.
As The Wall Street Journal reported that day, the size of the hack is second only to a pair of cyberattacks on Yahoo Inc. disclosed last year that affected the information of about 1.5 billion customers. The hack also involves nearly twice the number of affected compared to the high-profile breach at financial firm J.P. Morgan Chase & Co. roughly three years ago.
Yet, buried in many of the news reports last week is the fact that Equifax first learned of the hack back on July 29, about six weeks before it informed the public. As again reported by The Wall Street Journal, Equifax said it reported the initial intrusion to law enforcement. It also contracted a cybersecurity firm to conduct a full forensic review. What’s more, the Journal points out that following the company’s discovery of the breach, three of its top executives, including Chief Financial Officer John Gamble, sold shares worth a combined $1.8 billion. Wow.
I’m no cybersecurity expert, but waiting six weeks to disclose a hack of this nature is a little startling, especially for a public company. What’s more worrisome is the disclosure that top executives, already foreseeing the fallout, sold company stock, which has unsurprisingly taken a market beating since the news of the hack became public.
Now, I suppose one could argue that Equifax may have wanted to learn the full extent of the hack and potential damage before making a public statement. After all, if the forensic review uncovered that the hackers were unable to extract much by way of customers’ personal information, why say anything; might as well wait until they’ve confirmed the bad news themselves.
On the other hand, with the benefit of hindsight and knowing the full extent of the damage, Equifax is now in the defensive position of having to explain its foot-dragging to inform the public. This makes the company look almost as if it were trying to hide the bad news on purpose — an idea that isn’t helped by the executive sale of significant portions of company stock.
Certainly Equifax isn’t the only public company guilty of trying to hide bad news. Business journalists have become accustomed to public companies trying to sneak out news of this ilk in late Friday afternoon securities filings. It’s a tactic used in the hope that fewer people will be paying attention heading into the weekend.
Still, it’s surprising to me that Equifax and other companies haven’t discovered the folly of this practice.
Trying to hide bad news in today’s media environment is a fool’s game. And any savvy public relations expert will tell you that the best course of action is to be fully transparent from the start.
Had Equifax made a statement in early August disclosing what it then knew of the breach, the public’s reaction by the time they learned the full extent in September would’ve felt muted compared to the sudden shock and panic that went on over the weekend as people rushed to protect their credit and ensure their financial information was safe.
Because we all know Equifax waited and that company executives took personal protective action in selling stock, Equifax is now being looked at to explain not only why it left its systems vulnerable in the first place but also why it didn’t inform stakeholders immediately once the breach became known.
Had Equifax immediately come clean with a statement and informed the public of the steps it would take to investigate the breach, the company could’ve positioned itself as a victim in a crime that it was now being fully transparent in trying to solve.
Instead, we’re left feeling cheated by a company that, as consumers, we may not have chosen to do business with in the first place. Unlike other companies, credit-reporting agencies unknowingly monitor our financial activity, supposedly for our own protection.
But after this incident, because Equifax couldn’t come clean from the get-go, this just feels like another hapless effort by a company to cover up news that wouldn’t feel so bad if not for the effort the company took to make sure we didn’t know about it right away.
Frank Kalman is Talent Economy’s managing editor. To comment, email editor@talenteconomy.io.
