The Daily Swig Web security digest

Equifax breach could be ‘most expensive in history’

Jessica Haworth | 05 March 2018 at 12:30

Credit rating agency predicted to incur total costs of $600 million – more than any cyber-attack in corporate history.

The 2017 Equifax breach could be the most expensive cybersecurity incident in corporate history, researchers have claimed.

Last week, Equifax reported that a further 2.4 million people were victims of the breach, which was initially disclosed in September last year, bringing the total to around 147.9 million people.

Now, it has been predicted that the cost of the cyber-attack could reach a record-breaking $600 million.

This is according to Larry Ponemon, chairman of Ponemon Institute, a research group focused on tracking cyber-attacks, who said: “It looks like this will be the most expensive data breach in history.”

Equifax reported last week that it expects $275 million in costs related to the cybersecurity incident, offset by $75 million insurance.

This came as the company reported its financial results for the fourth quarter of 2017.

In a conference call on Friday, Paulino do Rego Barros, interim CEO of Equifax, apologized to all of the victims and individuals affected by the hack.

He said: “As we have said before I and the entire Equifax organization apologizes to the individuals whose information was stolen in the cyber-attack, and we apologize as well to our customers, partners, investors, and communities who were disrupted by the cybersecurity incident at Equifax.”

John Gamble, chief financial officer, added that Equifax will spend at least $200 million on improving cybersecurity over the next two years.

He said: “Our focus is to be a leader in IT and security.

“Our investments in 2018 and 2019 will reflect this, and in 2018 we are expecting approximately $200 million net incremental IT and data security project costs and legal and professional fees being incurred related to specifically address the litigation and governmental regulatory investigations related to the cybersecurity incident.”

Equifax said it will directly notify the additional 2.4 million customers.

More victims

The credit-reporting firm previously reported that 145.5 million people were affected by the hack in July 2017, which wasn’t made public until two months later.

Equifax claims it didn’t disclose the additional 2.4 million breaches, as victims’ social security numbers (SSNs) were not taken, and at the time experts determined that hackers were focused on SSNs.

The newly-reported victims had partial driver’s license information stolen, the company revealed.

But other details including home addresses, birth dates, and credit card numbers were also taken.

Barros said: “This is not about newly discovered stolen data.

“It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

Equifax reported a revenue of $838.5 million in the fourth quarter of 2017, a 5% increase from the fourth quarter of 2016.

Net income was up 40% compared to the fourth quarter of 2016 and for the full year of 2017, revenue was $3.4 billion – a 7% increase from 2016.

Costs related to the data breach totaled $26.5 million in the fourth quarter and $114 million in the whole of 2017.