Equifax has incurred losses so far of over $1.35bn from a devastating 2017 breach which affected more than half of all Americans and millions of UK consumers, the firm revealed in its latest financials.
The credit agency claimed in its Q1 2019 earnings statement that the figure “related to the incident, incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.”
The firm has recouped the maximum possible $125m, minus $7.5m, from an insurance policy, and claims that breach costs for the rest of this year will be less than those for 2018.
However, the first three months of 2019 saw the company shell out $82.8m for “technology and data security,” $12.5 for “legal and investigative fees,” and $1.5m for product liability. The largest sum ($690m) was listed as “accrual for legal matters” related to the 2017 breach.
As well as the $786.8m listed for Q1 2019, the firm detailed $68.7m it spent in Q1 2018.
Its technology and data costs “include incremental costs to transform our technology infrastructure and improve application, network, data security, and the costs of development and launch of Lock and Alert,” it explained. These include people, services and direct product costs.
The legal costs relate to payments to lawyers and professional services companies to investigate the incident and respond to legal, government, and regulatory investigations and claims. Product liability costs relate to its paying for free credit monitoring for customers.
The latest revelations can be seen as a cautionary tale of what happens when organizations fail to implement adequate cybersecurity.
The 2017 breach itself stemmed from exploitation of a known Apache Struts 2 flaw which was left unpatched. The subsequent exfiltration of data over several months compromised highly sensitive credit and personal information on over half of all American adults (148m) and 15 million UK consumers, as well as around 20,000 Canadians.
Although the UK’s ICO fined the firm the maximum £500,000 under the old regime, Equifax could have been hit with a penalty orders of magnitude greater if the incident had occurred after May 2018, when the GDPR came into effect.