
Data Breach Communications Archive: Equifax to Change Healthcare
Fifteen years of defining breach communications cases — Equifax, T-Mobile, PayPal, MOVEit, MGM, Change Healthcare — and the playbook every response team runs against.

Fifteen years of defining breach communications cases — Equifax, T-Mobile, PayPal, MOVEit, MGM, Change Healthcare — and the playbook every response team runs against.

Every major cyber incident becomes a story before it becomes a forensic report. Stakeholders judge what happened by how it was explained. The Trust Equation — trust lost = impact × perception of response. Why cybersecurity PR is operational defense, not adjacent support.

The December 2022 PayPal credential-stuffing breach accessed approximately 35,000 customer accounts using credentials stolen from unrelated breaches on other platforms. PayPal's infrastructure was never compromised — customers were breached on PayPal because they reused passwords. The canonical fintech credential-stuffing case study.

T-Mobile disclosed a breach affecting ~40M former/prospective customers, 7.8M current postpaid, and 850K prepaid — SSNs, DOBs, driver's license data exposed. The fifth breach in four years. Mike Sievert's response and the pattern regulators are watching.

Stock price recovery is not reputation recovery. Equifax's share price climbed back. The brand file did not. A standing reference for how long a reputation event survives the financial recovery — and what it actually takes to close the file.

143 million American consumers exposed in a single breach. Equifax remains the textbook crisis-communications case for the data-breach era — and the standing reference every modern breach-response playbook is built against.

The cover-up always outlasts the breach. What surfaced after the initial Equifax disclosure extended the crisis by years — and reset how every modern breach-response operation manages the document trail in the first thirty days.

A crisis communications case study of the July 2015 Ashley Madison data breach: The Impact Team, Avid Life Media, the Levick engagement, and the brand-promise problem at the center of the response.

Originally published 2013, updated 2026. Internet privacy is now a cybersecurity problem — breaches at scale, AI training data, commercial spyware, biometric brokers, and Salt Typhoon-class infrastructure attacks.

Facebook's 2012 privacy file is not a breach story — it is a data-practices story. Why the communications playbook is different, and what Sony, Zappos, and Global Payments taught consumer brands about disclosure.