Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.
The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.
Over two-fifths (44%) of the population of the US are thought to have been affected.
This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.
However, that’s just a small part of the overall financial impact of the ruling.
The firm has agreed to spend at least $1bn on improving its cybersecurity posture over the coming five years. It will also need to fund several years of credit monitoring from Experian and its own services for class members. That could amount to an extra $2bn if all 140 miilion+ customers sign up.
That’s not to mention the $6bn in credit monitoring services already being claimed by several million class members, their $77.5m in attorney fees and further amounts in litigation expenses that Equifax will need to pay.
The total could creep up towards $10bn — a cautionary tale for organizations tempted to focus on business growth at the expense of cybersecurity and risk mitigation.
“This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,” wrote district judge Thomas Thrash.
“The minimum cost to Equifax of the settlement is $1.38bn and could be more, depending on the cost of complying with the injunctive relief, the number and amount of valid claims filed for out-of-pocket losses and the number of class members who sign up for credit monitoring.”