Future Tense

Equifax’s Data Breach PR Statement, a Close Reading

Just a little data breach affecting 143 million U.S. consumers.


On July 29 the credit reporting agency Equifax discovered that someone had accessed enormous amounts of the information that it held. This Thursday—more than a month later—Equifax released a statement announcing the breach and the company’s planned response.

As is so often the case with such statements, this is a shambolic text evincing collective and perhaps contentious authorship: Note, for example, the erratic spacing after periods, sometimes one, sometimes two. (In one case, the space seems to be missing altogether after a hyperlink.) In such details, we glimpse the outer edges of a hastily assembled response: Paragraphs bounced back and forth between divisions and departments over email, lawyers screaming at one another over the phone.

Given, however, that Equifax had more than a month to labor over these words, we also can and must read also read the statement as a carefully crafted object, a sort of prose poem for our troubled times.

The key to this challenging text’s style arrives in its opening paragraph. Having breezily introduced what happened (“a cybersecurity incident”) and to whom it happened (“approximately 143 million U.S. consumers”), our anonymous authors abruptly pull back from the scene of the crime. “The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases,” they write. In this statement from Equifax itself, “the company” rings strange, somehow suggesting that Equifax is not an actor in its own drama.

More importantly, though, this phrase confronts us with a wan sort of bathos that seems almost satirical. Having outlined a breach so enormous as to border on the sublime, we are implicitly told that we need not worry after all. Never mind the very real threats of identity theft. No one has actually manipulated your credit rating, it seems to propose. Yes, unknown criminals almost certainly have information about you, oh reader, but, no, you need not fear.

The statement’s second paragraph comes hard and fast with the true details of the hack, almost immediately undermining the wan gesture of assurance that concludes the first. The information “primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.”

And yet, Equifax’s artistes erratically (but strategically) reintroduce notes of minimization, a deliberate arrhythmia of irony: Yes, more than 100 million Social Security numbers, birth dates, and addresses may have been compromised, but driver’s license numbers have only been accessed “in some instances.” This is a phrase whose power flows from its uncertainty. How many is some? Should I count myself among their number?

As in the fragmentary remnants of Sappho’s poetry, we recognize ourselves in these lines precisely because they are incomplete. The company has also, we learn, “identified unauthorized access to limited personal information for certain UK and Canadian residents.” (Italics mine.) These vague adjectives—“limited” and “certain”—suggest a kind of effortless shrug, especially in contrast to the hard and huge numbers that precede them. In the poetry of Equifax, what is large is always also small, the enormity of the situation not quite so enormous as one might fear.

This commitment to irony takes on a new form soon after as a single voice—that of Equifax CEO Richard F. Smith—begins to emerge from the corporate chorus. Smith almost, but never quite, acknowledges that the situation itself constitutes a reversal of expectations. “We pride ourselves on being a leader in managing and protecting customer data,” says this man whose company has just made a mess of both of those tasks. Here, teetering on the brink of something like self-knowledge, Smith continues, “We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers.” We are obliged, he proposes, to trust him because he has failed us.

A fuller version of the statement that appears on PR Newswire further amplifies this dynamic interplay of trust and uncertainty. “These statements can be identified by expressions of belief, expectation or intention, as well as estimates and statements that are not historical fact,” it reads. In aggregate, “expressions,” “expectations,” and “estimates” add up to something more than the sum of their parts. Each admits to a degree of ignorance, but together they suggest a species of certainty. We know because we know so little, Equifax tells us, enacting a sort of auto-deconstruction that would make the French philosopher Jacques Derrida smile. A thing, this text repeatedly indicates, is inevitably evident in its opposite. History is always already shaped by the absence of “historical fact.”

Here, the ordinary logic of time grinds to a halt, every description of past action only ever an anticipation of what is to come. “Confronting cybersecurity risks is a daily fight,” CEO Smith declares near the end, eliding past failures and future struggles. “While we’ve made significant investments in data security, we recognize we must do more. And we will.”

We believe you, CEO Smith. And we don’t. As the text is written, so it demands.