Governance & Risk Management , Incident & Breach Response , IT Risk Management
Equifax's Data Breach Costs Hit $1.4 Billion
Massive 2017 Breach Continues to Bite the Credit Reporting Giant's Bottom LineCredit reporting giant Equifax has spent nearly $1.4 billion on cleanup costs as well as overhauling its information security program following its massive 2017 data breach.
See Also: Gartner Market Guide for DFIR Retainer Services
Two years after the data breach, which began on May 13, 2017, and the company discovered and began remediating on July 29, 2017, resulting legal costs and investigations haven't stopped taking a big bite out of the company's bottom line.
On Friday, Atlanta-based Equifax announced its financial results for the first quarter of 2019, ending March 31, reporting a loss of $555.9 million, compared to net income of $90.9 million in the first quarter of 2018. Equifax's quarterly revenue was $846.1 million, down 2 percent compared to the first quarter of 2018 although up 1 percent on a local currency basis.
Sales barely missed analysts' average expectations of $852.9 million - less then a 1 percent difference - while the $1.20 actual earnings per share fell below analysts' $1.23 expectation, according to data from Reuters.
Breached Impacted Half of All Americans
Equifax's data breach resulted in the exposure of the personal data of 148 million individuals in the U.S., or 56 percent of all American adults - representing nearly half of the total U.S. population. The breach also exposed information for 15 million U.K. citizens and about 20,000 Canadians. The breach led to Congressional probes, probes by privacy authorities in the U.K. and Canada, and dozens of lawsuits and formal investigations by state attorneys general. It also led to the departure of the company's CEO, as well as its top two information security personnel.
A House report into the breach released last December concluded that the breach "was entirely preventable," while a Senate report from last month concluded that the breach response was "inadequate and hampered by Equifax's neglect of cybersecurity"
A U.S. Government Accountability Office report released last September into the 76-day breach, via which attackers slowly exfiltrated data from 51 databases, identified five key factors that contributed to the breach: identification, detection, segmentation and data governance, as well as a failure to rate-limit database requests. Had any one of those factors been better handled, GAO said, the breach may not have occurred (see: Postmortem: Multiple Failures Behind the Equifax Breach).
Data Breach Costs Mount
Equifax had a $125 million cybersecurity insurance policy at the time it was breached, with a $7.5 million deductible. "We have received the maximum reimbursement under the insurance policy of $125 million, all of which was received prior to 2019," it says.
Meanwhile, costs arising from the data breach continue to mount.
The company's 2019 first quarter balance sheet lists $82.8 million in technology and data security costs arising from the data breach, including "incremental costs to transform our technology infrastructure and improve application, network, data security, and the costs of development and launch of Lock and Alert." The latter is an Equifax product that allows individuals to lock and unlock their credit report with Equifax.
The balance sheet also lists $12.5 million in quarterly legal and investigative fees, referring to costs associated with "legal, government and regulatory investigations."
It also lists $1.5 million for product liability, referring to Equifax offering breach victims 12 months of prepaid access to the TrustedID identity theft monitoring service from rival credit bureau Experian. Last year, breach victims were also offered a further 12 months of free service if they migrated to Experian's IDnotify product (see: Congratulations: You Get 'Free' Identity Theft Monitoring ).
The first quarter results also include "a pre-tax legal accrual of $690 million for losses associated with certain legal proceedings and investigations related to the 2017 cybersecurity incident," the company says.
$1.35 Billion in Breach Costs
With that accrual, the company says it has recorded $1.35 billion in costs resulting from the data breach, including not only incident response but also new technology and data security changes.
"Costs related to the 2017 cybersecurity incident are defined as incremental costs to transform our IT infrastructure and data security; legal fees and professional services costs to investigate the 2017 cybersecurity incident and respond to legal, government and regulatory claims; as well as costs to provide the free product and related support to the consumer," Equifax says.
Breach costs may continue to increase. "It is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations related to the 2017 cybersecurity incident based on a number of factors," Equifax says.
Such factors include ongoing investigations, lawsuits as well as uncertainties over how consumer lawsuits, seeking class-action status, might resolve. "The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the company's consolidated financial condition, results of operations, or cash flows in future periods," Equifax says.
Canada Concludes Probe
Last month, Canada's privacy commissioner concluded its investigation into Equifax's data breach, finding that the company's controls were "unacceptable."
"Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company's privacy and security practices," said Daniel Therrien, Canada's privacy commissioner.
Equifax has signed a compliance agreement with the privacy commissioner. The agreement requires the credit bureau's Canadian division to submit third-party audit reports on both its security as well as the security of its parent company to the Office of the Privacy Commissioner every two years, for the next six years.
"This will allow for ongoing monitoring of compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private sector privacy law, including assessing the steps taken by Equifax since the breach," the commissioner said.
UK Regulators Levied Maximum Penalty
Last September, British authorities concluding their breach investigation. The Information Commissioner's Office, which is the U.K.'s data protection authority and enforces the country's privacy laws, announced a Equifax £500,000 ($651,000) fine (see: Equifax Hit With Maximum UK Privacy Fine After Mega-Breach).
Following an investigation into the breach, conducted in parallel with Britain's Financial Conduct Authority, the ICO cited Equifax "for failing to protect the personal information of up to 15 million U.K. citizens during a cyberattack in 2017."
Because the breach occurred before the EU's General Data Protection Regulation came into full effect in May 2018, Equifax was spared the threat of facing the regulations strong potential sanctions. GDPR allows for maximum fines of up 4 percent of an organization's annual global revenue or €20 million ($22.5 million), whichever is greater.
Lawsuits and Probes Continue
As Equifax makes clear in its latest quarterly filing, it's not yet certain how much the 2017 data breach will end up costing the company. Equifax says it faces more than 1,000 individual consumer actions, including lawsuits seeking class-action status, in U.S. state and federal courts. Last Monday, meanwhile, the state of Indiana because the latest to sue Equifax over the data breach.
AG Curtis Hill files lawsuit against Equifax over 2017 data breach pic.twitter.com/f0uLhk7JHy
— Curtis T. Hill, Jr. (@AGCurtisHill) May 6, 2019
Other government probes continue. In February, Equifax said in its 2018 annual report to the U.S. Securities and Exchange Commission that it expects to be hit with "injunctive relief damages" by both the Federal Trade Commission and the Consumer Financial Protection Bureau. It also expects to face "civil money penalties" levied by the CFPB as well as penalties imposed by the New York State Department of Financial Services.
"The staffs of the CFPB and FTC have informed us that their respective agencies intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident," Equifax says in the February filing. "On Oct. 2, 2018, the enforcement staff of the NYDFS provided us with notice that it is considering recommending that the NYDFS take legal action against us, potentially seeking consumer relief and civil money penalties."