The Disaster 💩
On 7 September 2017, credit reporting giant Equifax announced a “cybersecurity incident” that exposed the personal information of nearly 148 million Americans — plus millions more in Canada and the UK.
Hackers stole Social Security numbers, birth dates, addresses, driver’s licenses and credit card details. It was arguably the biggest data breach in history.
But Equifax had discovered the breach more than five weeks earlier. During that time, several executives sold stock, fuelling suspicion of insider trading.
To make matters worse, the press release was a wall of legalese that minimised risk, hedged accountability and confused the public.
The Breakdown 👀
Equifax’s response to the data breach was a textbook case in strategic ambiguity. Here are some lowlights from the press release, which hit almost a thousand words:
1. The Announcement
❌ What they said: “Equifax Announces Cybersecurity Incident Involving Consumer Information.” 👉 “Announces” sounds like good news. “Incident” and “involving” are deliberately vague and downplay the severity.
✅ What they should have said: “Equifax Confirms Data Breach Exposing Sensitive Personal Information.” 👉 Directly acknowledges what happened without straying into an admission of fault.
2. The Impact
❌ What they said: “No evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” 👉 Translation: your identity is burned, but our systems are fine.
✅ What they should have said: “The systems we use for credit reporting were not affected. But criminals did access other databases containing highly sensitive personal information — including Social Security numbers, birth dates, addresses, driver’s licenses and credit card details.” 👉 Clear and specific — explains the real risk to consumers, while reassuring shareholders about the core business systems.
3. The Apology
❌ What the CEO said: “This is clearly a disappointing event for our company. I apologize to our business and consumer customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data.”
👉 “Disappointing event” made it about the company, not the victims. “Concern and frustration” trivialised identity theft. And “we pride ourselves” on protecting data? Bro, 148 million identities just walked out the door!
✅ What he should have said: “I am deeply sorry for this breach of trust. I know it creates real concern for people, and we are committed to addressing it with urgency. Protecting your data is our responsibility. Since discovering this breach, we have taken significant steps to strengthen our security and prevent this from happening again.”
The Bottom Line 📉
Equifax’s failure wasn’t just the data breach. It was the strategic ambiguity that followed.
The financial fallout was brutal:
$1.4 billion in settlements, tech fixes and monitoring.
$700 million FTC settlement, including $425 million for consumers.
Over $4 billion in market value erased.
💡 Lesson: you don’t have to choose between legal safety and public trust. But if you delay, hedge and minimise, you lose both.
Until next week, don’t let the lawyers write headlines.
Doug.
P.S. If your team’s press releases read like legal depositions, forward this to them.
Because in a crisis, you don’t get a second draft.
Disaster Comms analyses crisis communication for its impact on public trust. It is not legal advice. In a real crisis, organisations must balance legal, regulatory and reputational risks. Always consult professional counsel before making official statements.
