Equifax’s latest Security and Exchange filing has revealed the huge cost of its 2017 data breach, which saw the personal information of 148 million customers exposed.
The figure, which excludes masses of legal fees for law suits that have yet to be concluded, is estimated to be 350 times the average cost of a data breach, according to research by IBM.
In the first quarter of 2019, the company incurred a cost of £533 million charges related to outstanding litigation and potential fines to the 2017 incident. The billion dollar expense includes incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.
Equifax CEO Mark Begor told investors that, the according to WABE, the firm had made progress, most notably by settling legal action brought against the firm. He also told them that the company had reached a confidential settlement covering the consumer federal class action cases that, if approved by the court, would fully resolve claims asserted in the consumer cases.
- Hackers Exploit WhatsApp Vulnerability to Listen in on Users
- The Value of Data in the Digital Economy and Data Ethics
- Police Scotland to Start Using Controversial Hacking Devices
The proposed global settlement provides for the establishment of a single consumer redress fund, which was the company’s goal, and certain other non-monetary terms.
Begor said: “As we’ve discussed previously, we believe the consumers are better served through a single consumer fund and a global settlement of the federal and state government investigations, together with the consumer class action litigation. We expect to complete definitive settlement agreements with the parties in the coming weeks.”
There were also several one-time costs incurred during the first quarter related to the breach – £64m for technology and security spending, £9m for legal fees and £1.5m for consumer support, Berger reported.
He explained: “While it is reasonably possible that losses exceeding the amount accrued will be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgements, settlements, penalties or other resolution of the proceedings and investigations related to the 2017 cybersecurity incident based on a number of factors.
“These include the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty and complexity of achieving a multi-party resolution, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.”