Introduction
Malware is known to be the main means through which large corporate cyber incidents are executed, although there are cases in which employee involvement and other means are used to target important protected information in organizations. Among the major data breaches that have occurred recently, the 2017 Equifax data breach remains to be among the most significant cyber incidents that are known to affect a large organization.[1] Important data belonging to around 145 million U.S. citizens were reported to have been illegally accessed by cybercriminals.[2] Most studies that investigate breaches, such as Equifax, evaluate the causes of the incident. Nevertheless, considering the large financial and reputational losses that such companies undergo after a big cyber incident, it is important to study the incident handling strategies that the affected organization applied in order to draw useful lessons on how corporate victims of such breaches should deal with the incident.[3]
This paper, therefore, aims to evaluate the effectiveness of the incident handling strategy that Equifax utilized to reduce the reputational and performance damages that the 2017 massive data breach caused. The paper begins by discussing some of the theoretical frameworks that are used to understand the way organization responds to the occurrence of big cyber incidents that affect the performance and image of the affected firm. All the models that are historically used are combined using the Wang and Park (2017) Public Communication Model that was used when investigating the incident handling strategies used by Yahoo, which experienced another malware-initiated breach like Equifax. This research attempts to answer the question; Did Equifax use effective incidence handling strategies as it responded to the 2017 big data breach? It is important for organizations that have undergone a massive cyber incident to apply theories on crisis management when handling such incidents to minimize the damage to performance and reputation.[4] An investigation into the 2017 incident that resulted from the use of malware by cyber criminals will assist in assessing the decision-making and information processes that were used by the company and any errors that it did in those actions. The lessons from such errors may help companies that are cyber-attacked in the future to reduce the negative effects of the data breach they may experience.[5] The use of diminishing and denial strategies as opposed to bolstering and rebuilding made the incident handling strategy of Equifax ineffective.
Literature Review
Most of the studies that have investigated the way Equifax handled the 2017 mega data breach suggest that the strategies it used were not very effective in restoring the productivity and reputation that existed before the breach. However, there is a need to apply different theoretical frameworks to find out whether such findings are supported by facts. This is because it is expected that even if an organization applies the best possible approach of handling a cyber incident, chances are that there will still be some losses in terms of the image of the company, which in turn may affect the productivity. There are various theories and models that have previously been utilized by researchers to understand how affected organizations handled the incident. It is important to place more emphasis on theoretical frameworks that help the researcher to understand the best ways in which the performance and public image can be restored through effective response strategies.
To understand how organizations attempt to restore their reputation after a crisis, Coombs (2007) came up with the SCCT (situational crisis communication theory), which most researchers rely on.[6] The theory by Coombs is a descriptive tool that matches the situation of the crises to the response used. The SCCT theory suggests three major response strategies, which include denial, diminish, and rebuild, although there are other strategies that extend from SCCT, such as bolstering and scapegoating. In the strategy of denial, the affected organization either either denies the presence of the incident or look for a scapegoat.[7] In the diminish strategy, the company downplays the incident by claiming it is not serious or denying responsibility. In the rebuild strategy, the organization either compensates the victims or offers an apology.[8]
Another strategy that is worth being considered when trying to understand how Equifax dealt with the 2017 crisis is the bolstering strategy. This strategy is used when reducing the effects of an incident on the reputation of a company so that the public opinion of the firm can be strengthened.[9] In most cases, it is used as a supplementary technique that stresses the organization’s positive record and history, while accepting the responsibility of the organization to handle the negative effects on behalf of the affected groups.[10]
The scapegoating strategy is another theory that should be explored in the attempt to understand how Equifax processed information and made important decisions after the incidence, as well as the errors it made in the response. Scapegoating is one example of the denial strategy in the SCCT, where the organization tries to place the blame on a third party instead of taking responsibility. International organizations often use this strategy to divert the perception of the public and disrupt media attention.[11] An organization using the strategy may blame either an outside organization or an internal party. This means that the organization may pick one of its staff or leader to assign the responsibility so that the perception of the whole organization remains positive, or it may place the blame on an external party.[12] Most researchers have found that the scapegoating strategy is detrimental because if it backfires, the reputation of the organization is worsened.[13] For instance, if the company picks one individual to blame for the crises and it turns out that the individual was innocent, the public will have a more negative attitude towards the organization because of its dishonesty.
Wand and Park (2017) introduced a useful model in their analysis of the incident handling strategy used by Yahoo in its response to the Yahoo data breach.[14] It is important to make use of this model because it can be used to assess the different strategies that Equifax applied when it was responding to the data breach. The model by Wang and Park includes various SCCT strategies of communication that organizations use after crises such as bolstering, diminish, denial, and rebuild strategies.[15] This theoretical framework implies that diminish and denial should be avoided because they deteriorate the image of the company while rebuilding and bolstering affect the reputation of the company positively. According to Kuipers et al. (2021), there is sufficient proof that Equifax applied both diminish and denial strategies.[16] It has been shown by previous research that the use of the diminish and denial strategies, as opposed to other strategies such as bolstering and rebuilding, can be detrimental to the reputational and the overall performance of an organization that has been affected by a major cyber incident.[17] Based on this knowledge, a hypothesis that Equifax did not use effective incident handling strategies in dealing with the breach is adopted in this paper.
Methodology
This research relies on the analysis of mined texts from the official releases that were issued by Equifax Company in the wake of the malware attack that led to the data breach in 2017. To identify and measure the variables for the study, the researcher applied text mining and the analysis of word frequency. This is enabled by the ability of the TextSTAT software to identify the concordance of keywords with the contexts and keywords in typed documents.[18] The extraction of keyword frequencies form Equifax’s official documents was enabled by the use of the TextSTAT software. The software is an inexpensive and downloadable application that assists the researcher to mine and analyze the frequently used important words that relate to the context of the issue being studied.
In this research, the software was used to correlate the major words that relate to how the company responded to and reacted to the breach to found out if the communication process was effective to the reputation of the company in the public and the overall performance after the breach. This implies that the texts obtained from the official documents were used to give important information on the public communication process that Equifax applied when it publicly reacted to the breach in 2017, the same year that the breach occurred. In the analysis of the collected data, the frequencies of some keywords were identified using the TextSTAT software and those frequencies were interpreted in relation to the public communication framework. Some of the words that will be checked if they were widely used in the public releases by Equifax include Equifax, people, consumers, profit, service, and apology, among others. The three official public releases that will be used to collect the data using the TextSTAT app are the three online documents that the company published in 2017, on September 7,[19] September 15,[20] and October 2.[21]
In the investigation of how the company handled the data breach incident and to illustrate the importance of the public communication model, the research applies the method of content analysis of Equifax’s texts in online business communication. The content analysis method was previously applied in Wang and Park (2017), when they studied the techniques of public communication that Yahoo used when they handled the Yahoo data breach. The choice of the TextSTAT software in the process of content analysis was based on the simplicity of the software, its low usage cost, and its reliability in giving quantitative data from text data.[22] The software is able to analyze objective text data and give quantitative word frequencies and the context in which the words are used.
The case study of Equifax data breach was chosen for analysis because it represents a perfect example of how malware attacks can be used by hackers and result in a significant organizational losses in terms of financial costs and reputational losses. It is one of the most recent and massive data breach incidents that exposed sensitive customer information owned by millions of United States citizens.[23] Investigating how the company dealt with the Equifax massive data breach is important because it guides companies that are victims of data breaches on how they should respond to the issue, based on the weaknesses and strengths of the public communication process that the company applied after the malware attack.
One of the main weaknesses of the design of data mining and content analysis is that it depends on software, implying that errors may occur when identifying the contexts in which the words were applied. This implies that the content analysis method can be exposed to increased error because of the high level of interpretation that is required of the software when carrying out relational analysis.[24] Nevertheless, to ensure that such errors of the software, the researcher carried out a cross-check of all the words that the software identified for analysis to find out if the context of the words is relevant to the public communication processes. If some words were found to be irrelevant they were removed. The other limitation is the long time used in the analysis. But this problem was addressed by starting the processes early enough to complete it in time.
Analysis and Findings
The TestSTAT softaware extracted the frequencies of keywords from three important online public release document that Equifax published in 2017 regarding its data breach. From the aggregate frequencies of the keywords that the software mined relating to the communication process, there were 12 important words that were found very relevant to the public communication process that the company used, as illustrated in the table below. Form a majority of the words that the company used in its online public communication, the software did not identify any word that had a negative association to the image of the firm. From the 30 words that had the highest frequency, the 13 keywords that are associated to the communication process and the company’s reputation or image from the three important documents were sorted by the software as shown in Table 1 below.
| Word | Frequency |
| Consumers | 99 (45 for the word consumer and 54 for the word consumers) |
| Equifax | 77 |
| Services (or service) | 74 |
| News | 66 |
| Technology | 67 |
| Product(s) | 64 |
| Policy | 61 |
| Media | 55 |
| Business | 53 |
| Financial | 48 (financial 39 words and Finance 10 words) |
| Health | 45 |
| People | 34 |
| Security | 31 |
The words mined as the most frequently used can be used to find out the public communication strategy that the company adopted as it dealt with the data breach. The repetition and high frequency of the words identified by the TextSTAT software illustrate how Equifax tried to create a positive corporate image to benefits from the effects of public communication. For example, the repeated use of words such as media and news implies that the organization was aware of the news media and its influence on the way the public perceived the company after the cyber incident of 2017. However, the more frequent use of words such as consumers, consumer, people, and public in the online communication of the organization implies that the company constantly gave priority to the attention of the public, especially its customers.
Apart from mentioning the words related to the people it targeted in the communication, the company also constantly used words that represent things that interest such people. For instance, the use of words such as services, technology, policy, product, financial, health, and security shows that the company chose to communicate messages that most people would wish to hear from the company after the data breach. At the same time, the extremely high frequency at which the company used the word Equifax in its public communication could help in emphasizing the presence of the company and generating the blockbuster marketing effect. The use of the company’s name can bring an effect that is similar to that of using buzz words.
The content analysis of the selected press release documents from Equifax that were issued following the occurrence of the 2017 data breach indeed reveals important information about the public communication model that is proposed in this research paper. The high-frequency words used in the public releases as identified by the TextSTAT software can identify the strategies and components of the model. In the September 17 press release, the company emphasized that there had been no evidence that the commercial credit reporting database and the core consumer database had not witnessed any unauthorized access.[25] In the same initial press release, the company shifted the blame to another party by stating that the criminals that had used malwares to access some files of the clients had done so by exploiting a United States website app vulnerability. This strategy of attempting to shift blame to shift the blame to a third party is a good example of the diminish strategy.
The rebuild strategy was also applied by Equifax in some of the positive actions that it carried out after the incident. This can be seen in the analyzed documents from the several repeated apologies that Equifax issued to the business partners and consumers who had been significantly impacted by the breach. Also, the rebuilt strategy can also be seen in the fact that the company assured all impacted clients that they would obtain free identity theft protection and credit monitoring from the company. In response to the frustrations and concerns of the public, consumers, and business customers that resulted from the breach, Equifax also promised to carry out an independent investigation into the breach and to improve the protection of the information security of all its consumers.
A further analysis of the various contexts in which the frequently used words appeared in the public releases shows that the company also attempted to use the bolstering strategy. The bolstering strategy is especially visible in the initial release of September 7, 2017. In that public release, Equifax stated that the organization is proud to be a leader in protecting and managing data. Additionally, the bolstering technique can be seen in the company’s good-will, which is seen in the way the company willingly released the technical details of the incident. The release of the details included a timeline of the major developments of the breach, as the company had discovered. Similarly, in its second online public release, the company detailed how it was engaging with law enforcement bodies such as the FBI so as to investigate the matter. Also, an analysis of how the frequent words were used in the three documents used in this research shows that the company was willing to give additional support actions and efforts for the affected customers. All these actions show how Equifax applied the bolstering strategy to assure the public that it was a responsible organization.
Concerning the strategy of scapegoating, the analysis of the mined repetitive words does not indicate any instance in which the company placed the blame on one internal or external party. Also, there was no evidence that the organization tried to share the blame with another organization. The only example that the company accused another party is when it attributed the breach to third party criminals that used malware to illegally access the information of the clients. Such an example cannot be used to say that the organization applied scapegoating because the cyber criminals were not part of the responsible parties, but they were part of the problem itself. Nevertheless, the company actually implicated the former CEO and chairman, Richard Smith, because he was in charge of all the operations of the company, although there were several individuals who acted immediately below him.[26] Although the company did not entirely place the blame on the former CEO, its policy showed that the CEO had failed and, consequently, he announced his retirement from the senior position three weeks after the breach was officially announced.[27] Upon retiring, Smith admitted that he was fully responsible for the company’s failure to prevent the breach.[28] Therefore, even if the company itself did not place the whole blame on the former chairperson and CEO, his reaction of retiring immediately after the breach and his admission that he was responsible can be regarded as an implication that he was indeed forced to act as the scapegoat. This is because these actions show that he took the blame in place of the whole organization, which protected everyone else form being found responsible for the cyber incident.
In terms of the effects of the incident handling strategies that Equifax used in the wake of the breach, it can be argued that there are other factors that affected the results of the strategies. For example, Wiener-Bronner (2017) believes that the delay of six weeks after identification of the breach before the company announced the occurrence of the breach could have serious effects on the strategies that were later used.[29] It is also worth noting that three of the shareholders in the company sold their stock shares of the company after the incident was identified and before the close to 145 million clients knew about the compromise on their personal information.[30] Another factor that could have affected the effectiveness of the incident handling strategy that Equifax applied after the breach is the security policy that was used in the initial stages of reporting the breach to the public. For example, in the disclosure that Equifax initially made on its official web portal, the username and passwords that it used were very insecure and could be very easily cracked or guessed. The company had used the username of admin and the password of admin, which were very simple to be guessed by malicious people.[31] It created a feeling the company is not serious about securing the information under its custody.
The content analysis of the key words that were used by Equifax in its public communication strategies, as well as evidence from other sources, indicate that incident handling strategy of the company was not effective. The negative reaction of the public that continued for over one year and the performance of the company in that period show that the incident handling strategy was ineffective. For example, according to U.S. News (2017), the company underwent a cost estimate of hundreds of millions of dollars and there was a 14 percent close down of Equifax’s stock value.[32] The use of the public communication model shows that the response to the incident did not mitigate the loss of money and reputation from the incident.
Conclusion
The content analysis method used in this research, as well as evidence from used sources, was effective in revealing the incident handling strategy applied by Equifax as it responded to the effects of the 2017 data breach. The data that was mined using the TextSTAT software shows that the words that were often used by the company in its online official releases were meant to safeguard the image of the company through different strategies such as bolstering, rebuild, denial, diminish, and some aspects of scapegoating. The public communication model used in this paper enabled the researcher to look at all the strategies and theories mentioned above. The effect of the strategies was also affected by other actions of the company such as the selling of some shares by stakeholders and the delay in announcing the breach. Generally, the strategies used by Equifax failed in protecting its reputation and performance because of the use of diminish and denial strategies.
This research adds to the theoretical framework used by researchers to investigate the effectiveness of incident handling strategies by organizations that have faced big data breaches. It improves the public communication model devised by Wang and Park (2017) by showing that it is possible to investigate the response of a company to a cyber incident by using the model to collectively assess the situational crisis communication theory. The techniques applied in SCCT can be collectively investigated using the public communication model include bolstering, rebuild, denial, diminish, and scapegoating. All these were investigated using the communication techniques that Equifax applied in its official public releases. In future related researches, the use of the public communication model can further be improved by applying different methodologies other than data mining and content analysis, which were used in this paper.
Sources
Ahmad, R. (2017). Fatal brand crisis: can bolstering strategy rebuild the tarnished reputation?. Journal of Technology Management and Business, 4(2).
Coombs, W. Timothy, Sherry J. Holladay, and Karen L. White. “situational crisis communication theory (SCCT) and application in dealing with complex, challenging, and recurring crises.” In Advancing crisis communication effectiveness, pp. 165-180. Routledge, 2020.
Dwyer, Colin. “Equifax Chief Steps Down After Massive Data Breach.” NPR. (2017, September 26). https://www.npr.org/sections/thetwo-way/2017/09/26/553693826/Equifax-chief-steps-down-after-massive-data-breach#:~:text=Press-,Equifax%20CEO%20Richard%20F.,up%20to%20143%20million%20consumers.
Equifax. Equifax announces cybersecurity firm has concluded forensic investigation of cybersecurity incident. (2017, October 2). Retrieved from https://investor.Equifax.com/news-and-events/news/2017/10-02- 2017-213238821
Equifax. Equifax announces cybersecurity incident involving consumer information. (2017, September 7). Retrieved from https://investor.Equifax.com/news-and-events/news/2017/09-07-2017-213000628
Equifax. Equifax releases details on cybersecurity incident, announces personnel changes. (2017, September 15). Retrieved from https://investor.Equifax.com/news-and-events/news/2017/09-15-2017-224018832
Karunakaran, Sowmya, Kurt Thomas, Elie Bursztein, and Oxana Comanescu. “Data breaches: User comprehension, expectations, and concerns with handling exposed data.” In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp. 217-234. 2018.
Kuipers, Sanneke, and Michael Schonheit. “Data breaches and effective crisis communication: a comparative analysis of corporate reputational crises.” Corporate Reputation Review (2021): 1-22.
Matthews, L. Equifax website secured by the worst username and password possible. Forbes. (2017, September 13). Retrieved from https://www.forbes.com/sites/leemathews/2017/09/13/Equifax-website-secured-by-theworst-username-and-password-possible/#7d833287457d
Moisio, Risto, Sonia Capelli, and William Sabadie. “Managing the aftermath: Scapegoating as crisis communication strategy.” Journal of Consumer Behaviour 20, no. 1 (2021): 89-100.
Murthy, G. S. N., M. V. V. Chowdary, M. V. Sangameswar, and T. P. R. Vital. “Exploring the API Calls for Malware Behavior Detection using Concordance and Document Frequency.” International Journal of Engineering and Advanced Technology
Primoff, Walter, and Sidney Kess. “The Equifax data breach: What CPAS and firms need to know now.” The CPA Journal 87, no. 12 (2017): 14-17.
Teoh, Adlyn Adam, Norjihan Binti Abdul Ghani, Muneer Ahmad, NzJhanjhi, Mohammed A. Alzain, and Mehedi Masud. “Organizational data breach: Building conscious care behavior in incident response.” Computer Systems Science and Engineering 40, no. 2 (2022): 505-515.
U.S. News. Equifax breach could have ‘decades of impact’. (2017, September 8). Retrieved from https://www.usnews.com/news/articles/2017-09-08/Equifax-breach-could-have-decades-of-impact-onconsumers
Wang, Ping, and Christopher Johnson. “Cybersecurity incident handling: a case study of the Equifax data breach.” Issues in Information Systems 19, no. 3 (2018).
Wang, Ping, and Sun-A. Park. “COMMUNICATION IN CYBERSECURITY: A PUBLIC COMMUNICATION MODEL FOR BUSINESS DATA BREACH INCIDENT HANDLING.” Issues in Information Systems 18, no. 2 (2017).
Wiener-Bronner, Danielle. “Equifax breach: How a hack became a public relations catastrophe.” CNN. (2017, September 13). Retrieved from http://money.cnn.com/2017/09/12/news/companies/Equifax-pr-response/index.html
Zou, Yixin, Abraham H. Mhaidli, Austin McCall, and Florian Schaub. “” I’ve Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach.” In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp. 197-216. 2018.
[1] Primoff, Walter, and Sidney Kess. “The Equifax data breach: What CPAs and firms need to know now.” The CPA Journal 87, no. 12 (2017): 14-17.
[2] Zou, Yixin, Abraham H. Mhaidli, Austin McCall, and Florian Schaub. “I’ve Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach.”
[3] Teoh, Adlyn Adam, Norjihan Binti Abdul Ghani, Muneer Ahmad, NzJhanjhi, Mohammed A. Alzain, and Mehedi Masud. “Organizational data breach: Building conscious care behavior in incident response.” Computer Systems Science and Engineering 40, no. 2 (2022): 505-515.
[4]Teoh, Adlyn Adam, Norjihan Binti Abdul Ghani, Muneer Ahmad, NzJhanjhi, Mohammed A. Alzain, and Mehedi Masud. “Organizational data breach: Building conscious care behavior in incident response.” Computer Systems Science and Engineering 40, no. 2 (2022): 505-515.
[5] Karunakaran, Sowmya, Kurt Thomas, Elie Bursztein, and Oxana Comanescu. “Data breaches: User comprehension, expectations, and concerns with handling exposed data.” In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp. 217-234. 2018.
[6] Coombs, W. Timothy, Sherry J. Holladay, and Karen L. White. “situational crisis communication theory (SCCT) and application in dealing with complex, challenging, and recurring crises.” In Advancing crisis communication effectiveness, pp. 165-180. Routledge, 2020
[7] Coombs, W. Timothy, Sherry J. Holladay, and Karen L. White. “situational crisis communication theory (SCCT) and application in dealing with complex, challenging, and recurring crises.” In Advancing crisis communication effectiveness, pp. 165-180. Routledge, 2020
[8] Coombs, W. Timothy, Sherry J. Holladay, and Karen L. White. “situational crisis communication theory (SCCT) and application in dealing with complex, challenging, and recurring crises.” In Advancing crisis communication effectiveness, pp. 165-180. Routledge, 2020
[9]Kuipers, Sanneke, and Michael Schonheit. “Data breaches and effective crisis communication: a comparative analysis of corporate reputational crises.” Corporate Reputation Review (2021): 1-22.
[10]Kuipers, Sanneke, and Michael Schonheit. “Data breaches and effective crisis communication: a comparative analysis of corporate reputational crises.” Corporate Reputation Review (2021): 1-22.
[11]Moisio, Risto, Sonia Capelli, and William Sabadie. “Managing the aftermath: Scapegoating as a crisis communication strategy.” Journal of Consumer Behaviour 20, no. 1 (2021): 89-100.
[12]Moisio, Risto, Sonia Capelli, and William Sabadie. “Managing the aftermath: Scapegoating as a crisis communication strategy.” Journal of Consumer Behaviour 20, no. 1 (2021): 89-100.
[13]Moisio, Risto, Sonia Capelli, and William Sabadie. “Managing the aftermath: Scapegoating as a crisis communication strategy.” Journal of Consumer Behaviour 20, no. 1 (2021): 89-100.
[14] Wang, Ping, & Park, S. 2017. Communication in Cybersecurity: A public communication model for business data breach incident handling. Issues in Information Systems, 18(2), 136-147.
[15] Wang, Ping, & Park, S. 2017. Communication in Cybersecurity: A public communication model for business data breach incident handling. Issues in Information Systems, 18(2), 136-147.
[16] Kuipers, Sanneke, and Michael Schonheit. “Data breaches and effective crisis communication: a comparative analysis of corporate reputational crises.” Corporate Reputation Review (2021): 1-22.
[17] Ahmad, R. (2017). Fatal brand crisis: can bolstering strategy rebuild the tarnished reputation? Journal of Technology Management and Business, 4(2).
[18] Diniz, Luciana. “Review of TextStat 2.5, AntConc 3.0, and Compleat Lexical Tutor 4.0.” Language Learning & Technology 9, no. 3 (2005): 22-27.
[19] Equifax. Equifax announces cybersecurity incident involving consumer information. (2017, September 7). Retrieved from https://investor.Equifax.com/news-and-events/news/2017/09-07-2017-213000628
[20] Equifax. Equifax releases details on cybersecurity incident, announces personnel changes. (2017, September 15). Retrieved from https://investor.Equifax.com/news-and-events/news/2017/09-15-2017-224018832
[21] Equifax. Equifax announces cybersecurity firm has concluded forensic investigation of cybersecurity incident. (2017, October 2). Retrieved from https://investor.Equifax.com/news-and-events/news/2017/10-02- 2017-213238821
[22] Diniz, Luciana. “Review of TextStat 2.5, AntConc 3.0, and Compleat Lexical Tutor 4.0.” Language Learning & Technology 9, no. 3 (2005): 22-27.
[23] Zou, Yixin, Abraham H. Mhaidli, Austin McCall, and Florian Schaub. “” I’ve Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach.”
[24] Leetaru, Kalev. Data mining methods for the content analyst: An introduction to the computational analysis of content. Routledge, 2012.
[25] Equifax. Equifax announces cybersecurity incident involving consumer information. (2017, September 7). Retrieved from https://investor.Equifax.com/news-and-events/news/2017/09-07-2017-213000628
[26] Dwyer, Colin. “Equifax Chief Steps Down After Massive Data Breach.” NPR. (2017, September 26). https://www.npr.org/sections/thetwo-way/2017/09/26/553693826/Equifax-chief-steps-down-after-massive-data-breach#:~:text=Press-,Equifax%20CEO%20Richard%20F.,up%20to%20143%20million%20consumers.
[27] Zou, Yixin, and Florian Schaub. “Concern But No Action: Consumers’ Reactions to the Equifax Data Breach.” In Extended abstracts of the 2018 CHI conference on human factors in computing systems, pp. 1-6. 2018.
[28] Dwyer, Colin. “Equifax Chief Steps Down After Massive Data Breach.” NPR. (2017, September 26). https://www.npr.org/sections/thetwo-way/2017/09/26/553693826/Equifax-chief-steps-down-after-massive-data-breach#:~:text=Press-,Equifax%20CEO%20Richard%20F.,up%20to%20143%20million%20consumers.
[29] Wiener-Bronner, Danielle. “Equifax breach: How a hack became a public relations catastrophe.” CNN. (2017, September 13). Retrieved from http://money.cnn.com/2017/09/12/news/companies/Equifax-pr-response/index.html
[31] Matthews, L. Equifax website secured by the worst username and password possible. Forbes. (2017, September 13). Retrieved from https://www.forbes.com/sites/leemathews/2017/09/13/Equifax-website-secured-by-theworst-username-and-password-possible/#7d833287457d
[32] U.S. News. Equifax breach could have ‘decades of impact’. (2017, September 8). Retrieved from https://www.usnews.com/news/articles/2017-09-08/Equifax-breach-could-have-decades-of-impact-onconsumers
write