Equifax Discloses its Coming Nightmares

“It is not possible to estimate the amount of loss or range of possible loss.”

Equifax reported that revenue ticked up 4% year-over-year in the third quarter to a less-than expected $835 million and that net income plunged 27% to $96 million due to the initial costs related to the most damaging consumer data hack in US history. But it also disclosed in the fine print of its SEC filing just what a legal and financial nightmare it is getting into over what it calls the “cybersecurity incident.”

The “cybersecurity incident” occurred in mid-May, was discovered in July, and was first disclosed on September 7. Its dimensions have since expanded. It compromised the personal-data crown jewels, including Social Security numbers, of 145.5 million US consumers, credit card numbers of  209,000 US and Canadian consumers, “certain dispute documents with personal identifying information” for 182,000 US consumers, personal information of 8,000 Canadian consumers, and personal information of at least 690,000 UK consumers.

The initial expenses related to the “cybersecurity incident” were an undramatic $27.3 million. But that’s just the timid beginning.

Then the costs related to the “free credit file monitoring and identity theft protection” will likely range between $56 million and $110 million. And that too is just the beginning.

The biggie? Litigation, Claims, and Government Investigations.

“Over 240” class action lawsuits by consumers against Equifax in US federal and state courts and in Canadian courts. The plaintiffs “generally … assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, and other related relief.”

Undisclosed number of class action lawsuits by financial institutions against against Equifax. They “allege their businesses have been placed at risk due to the cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims.” These suits seek compensatory damages and “other related relief.”

Undisclosed number of “putative class action lawsuits” by shareholders against Equifx and “certain” of its current and former officers and directors. They allege “violations of the federal securities laws in connection with statements regarding our cybersecurity systems and controls” and are seeking “unspecified monetary damages, costs and attorneys’ fees.”

Undisclosed number of “other lawsuits and claims allegedly arising out of the cybersecurity incident,” presumably including the $500,000-lawsuit filed by short seller Carson Block.

Government entities are getting restless.

US federal, state, and city government agencies, and governmental agencies and officials in the Canada and the UK are investigating among other things, how the cybersecurity incident “occurred, the consequences thereof, and our response thereto.” They’re “seeking information and/or documents, including through Civil Investigative Demands.” And they “may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties….”

The restless entities in the US include:

  • The 50 state Attorneys General offices and the District of Columbia and Puerto Rico. The Attorney General of Massachusetts has already filed a civil enforcement action.
  • The City of San Francisco and the Chicago City Council have filed lawsuits “alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud, and breach notice requirements and business practices.”
  • The Federal Trade Commission (FTC).
  • The Consumer Finance Protection Bureau (CFPB)
  • The SEC and the US Attorney’s Office for the Northern District of Georgia have sent subpoenas to Equifax “regarding trading activities by certain of our employees in relation to the cybersecurity incident.”
  • The New York Department of Financial Services
  • The New York Department of State – Division of Consumer Protection
  • “Other US state bank regulators”
  • The Financial Industry Regulatory Authority (FINRA)
  • “Certain Congressional committees” of the Senate and House of Representatives.

Outside the US:

  • The UK’s Financial Conduct Authority (FCA). Its Enforcement Division has opened an investigation into Equifax’s UK subsidiary.
  • The UK’s Information Commissioner’s Office
  • Canada’s Office of the Privacy Commissioner.

And more hounding may come:

Additional lawsuits and claims related to the cybersecurity incident may be asserted by or on behalf of consumers, customers, shareholders or others seeking damages or other related relief and additional inquiries from governmental agencies may be received or investigations by governmental agencies commenced.

Equifax doesn’t know how much it’ll cost.

But it could be big — and “have an adverse effect on how we operate our business or our results of operations.”

It is not possible to estimate the amount of loss or range of possible loss, if any, that might result from adverse judgments, settlements, penalties or other resolution of the above described proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.

Unknown “Future Costs” associated with the “cybersecurity incident” beyond the judgements, penalties, fines, and the like, include:

  • “Significant” legal and other professional services expenses.
  • Increased expenses and capital investments for IT and security.
  • Increased expenses for insurance, finance, compliance activities, and to meet increased legal and regulatory requirements.
  • Increased costs to provide free services to consumers including “increased customer support costs.”

There will be “other risk factors,” in addition the legal risks:

“Our remediation and security and IT enhancement efforts will be costly and may not be effective,” it said. Plus, the fiasco “has had a negative impact on our reputation” [no kidding!], and may have “a long-term effect on our relationships with our customers, our revenue and our business.”

Worst of all, this unwanted attention by government agencies and the courts could hamper its business of collecting and monetizing consumers’ personal data (remember, the consumer is the product):

The governmental agencies investigating the cybersecurity incident may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs and/or otherwise require us to alter how we operate our business.

Where there’s a crisis, there’s opportunity – for fraudsters. Here are some of the Equifax scams now underway – and how to protect yourself. Read…  Beware – the Equifax Scams Are Coming

Enjoy reading WOLF STREET and want to support it? Using ad blockers – I totally get why – but want to support the site? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  44 comments for “Equifax Discloses its Coming Nightmares

  1. 2banana
    Nov 10, 2017 at 2:46 am

    Ideas for the common folk.
    – Credit freezes on the big three agencies
    – IRS PIN security for filing taxes
    – Minimal to no social media footprint
    – Pay cash as much as possible

    • JB
      Nov 10, 2017 at 12:18 pm

      sage advice 2banana: don’t know why they don’t implement 2 step verification on opening a new credit account. Also the freeze charges are ludicrous and must amount to a significant boast to revenues for the reporting agencies. Maybe it’s time to reevaluate the effectiveness of online systems in light of all the billions of dollars of loses. Critical infrastructure systems should be decentralized and taken offline.

    • subunit
      Nov 11, 2017 at 9:19 am

      You need to be able to get credit checked for a lot of low-income housing, work opportunities, etc. Plus I think you’ve really got to have a pool of cash outside the banking system entirely to make “Pay cash as much as possible” a genuine privacy enhancement. If you’re getting paid by a corporate employer it’s probably direct deposit, and if you don’t have some savings, you’re going to be making enough trips to the ATM to generate a pretty good record of what your cash outlays were. Of course these days lots of people have grey and black cash income streams, too, but there are still lots of “common folk” without much of either.

  2. d
    Nov 10, 2017 at 4:09 am

    Equifax may end up like Tepco.

    Kept alive by the State, as the State cant afford to/dosent want to, pick up the tab, if it is allowed to go under.

    • Matt P
      Nov 10, 2017 at 6:12 pm

      They seem pretty redundant since Experian and Transunion also exist.

  3. MB732
    Nov 10, 2017 at 6:08 am

    Equifax is already back on its feet…Quarterly earnings are up 6%.

    Sure, they ignored $90M in breach costs, but those were one-time costs and not likely to repeat or continue to affect their business going forward.

    Gotta love adjusted earnings–Pass out the executive bonuses!

    • d
      Nov 10, 2017 at 6:28 am

      Pending litigation and settlement cost 300% + the TOTAL value of the company???

      No not relevant.

    • Nov 10, 2017 at 9:56 am


      Read the first sentence of my article: quarterly net income PLUNGED 27%.

      “Adjusted earnings” – which I didn’t mention because it’s a fake number and doesn’t merit a mention – rose 6%. To get there, Equifax removed the initial costs of dealing with the hack from this number. It’s a pure BS number.

      I also linked its earnings report that it filed with the SEC (link is in the first paragraph). You can check out the actual numbers on it.

      • MB732
        Nov 10, 2017 at 12:54 pm

        Post was intended as tongue-in-cheek poke at the absurdity of “adjusted earnings”–which I know Wolf’s feelings on. Apparently did not read dripping with as much sarcasm as in my head…

        For executives to call a $90M tip-of-the-iceberg cost an anomaly, and collect a bonus, ought to be criminal.

        • Nov 10, 2017 at 12:58 pm

          Oooops. I’m a little slow sometimes


    • Mike
      Nov 10, 2017 at 11:33 am

      Negative feedback loop on Equifax as more company accounts are closed and Subscribe to their competitors. Stock will break down.
      Legal fees accelerating exponentially as regulatory investigations kick in.
      And first waves of identity theft happening as this data base in dark web is matched with healthcare/OPM files

      • bibigon
        Nov 10, 2017 at 12:43 pm

        Regardless of one’s perception of effects of the loop (e.g. as negative), the loop you are describing amplifies the effects further and further, hence it is a ‘positive feedback loop’:

  4. Vichy Chicago
    Nov 10, 2017 at 7:51 am

    Every update on this story reinforces my relief I froze my credit right after reading Wolf’s initial report.

    • Old Engineer
      Nov 10, 2017 at 9:19 am

      Vichy Chicago, I agree with you whole heartedly. Wolf did us (his readers) a big favor with that suggestion.
      It got a lot harder a few days later for people to get in to the sites and the companies were making it more difficult to make the change. Plus, at my age, I’m not planning on borrowing money or changing my credit card situation and it does make a lot of sense.
      Wolf seldom makes recommendations to his readers but this one was right on the spot. Enjoyable site, great author.

  5. Mike R.
    Nov 10, 2017 at 8:03 am

    The lawyers will be the winners.

    • David T
      Nov 10, 2017 at 9:39 am

      You can bet on that! They are salivating. DocT

  6. Arizona Slim
    Nov 10, 2017 at 8:11 am

    I see another Arthur Andersen in the making.

    • walter map
      Nov 10, 2017 at 1:02 pm

      Or, in the unmaking, as the case may be.

      It’s enough to make you nostalgic for naked shorts. Those were the days.

    • NoEasyDay
      Nov 10, 2017 at 3:51 pm

      hb2u, xoxo.

  7. Gershon
    Nov 10, 2017 at 9:09 am

    No matter how gross the negligence, no CEO need ever fear criminal consequences in our crony capitalist wonderland with its complicit or asleep-at-the-switch regulators and enforcers.

    • Nov 10, 2017 at 10:31 am

      Well, the CEO got fired, I mean “retired effective immediately,” a short while after the hack was disclosed. So that’s a mini-step in the right direction.

      We do have to remember that Equifax was a victim of this crime (the hack). But it was allegedly grossly negligent in protecting itself and our data and it completely blew how it handled the fiasco.

      • QQQBall
        Nov 10, 2017 at 6:25 pm

        to spend moer time with family and pursue other interests? :)

      • Nov 11, 2017 at 1:03 pm

        Changing CEOs is positive, so what price do we buy this stock?

        • Jim Graham
          Nov 11, 2017 at 3:43 pm

          You don’t.

          Unless you want to have a loss to counter any profits you made on stocks you sold to fund your Equifax stock purchase.

  8. Nov 10, 2017 at 10:01 am

    You can see pretty easily that “national security” is the issue here, quasi bailouts and nationalizing of the system are next. More government intrusion is likely, it’s mostly their data at risk, (SSN, DL,etc). My thought is to buy the stock of these companies on weakness.

  9. Bobber
    Nov 10, 2017 at 10:06 am

    I froze my credit on Equifax, Experion, and TransUnion this week in about 15 minutes for all three. I paid a $10 fee for Experion and TransUnion.

    People were having some problems doing this earlier, but it looks like they’ve improved the process a great deal.

    • dgt
      Nov 10, 2017 at 10:33 am

      After I read Wolf’s warning at this site, I immediately froze all of my credit accounts and at that time there was no charge.

    • Nov 11, 2017 at 7:49 pm

      I also froze all 3 of mine after Wolf’s warning and also took heed his other warning to not pay a dime to institute the freezes..

    • NotMyPresident
      Nov 14, 2017 at 4:18 am

      Interesting point though. After freezing Equifax, was still able to monitor my credit score through my banking account. No clear reason but score is dropping like a rock. Any idea why other than retribution? Illegal?

      • Nov 14, 2017 at 9:53 am


        If your credit score is dropping and you don’t know why, you might want to check into it. Even with a credit freeze, you can still get your annual free “credit report.” This is much more than a “credit score”… it shows all the credit transactions on file… there may be bad data on it or there may be another problem). Here’s how:


  10. Winston
    Nov 10, 2017 at 10:28 am

    All together now! “Drain the swamp” aka “Change you can believe in”. Snark!

    Congress votes to disallow consumers from suing Equifax and other companies with arbitration agreements – Oct 24, 2017

    The Senate voted late Tuesday night to strike a federal rule that would have allowed consumers affected by the Equifax hack to sue the company. Without it, the millions affected by the historic security breach may be disallowed from related joining class action lawsuits. This specific rule, and only this rule, would be nullified if the joint resolution is signed by the President.

    The vote was 50/50, with the tie-breaking yea cast by Vice President Pence.

    The rule in question was entered into the Federal Register by the Bureau of Consumer Financial Protection in July; it prevents financial companies that bind their users by arbitration agreements from prohibiting those same users from suing as a class.

  11. Laughing Eagle
    Nov 10, 2017 at 10:28 am

    This breach is one of the biggest atrocities in decades. Laws allow a company to hold your personal financial data without your permission and without paying you to hold it. Then can sell this data to others. Wow what a business.
    But this same company uses a third rate cyber protection software system, and when notified about their software venerability fails to adequately correct the defect. Then one step deeper they travel as their software to detect the correction also fails. Finally they fail to notify those whose data was breached in a timely manner. How can executives of this company walk away without paying fines. They failed miserably over the years in the systems which were instituted as the protection of this data was not a priority.
    Why do we need three credit agencies? Seems to me this company should be fined and or sued out of existence.

    • Winston
      Nov 11, 2017 at 9:42 am

      “How can executives of this company walk away without paying fines.”

      Let’s see, what can be said about that? All animals are equal but some are more equal than others… and something about bought government and a two-tiered “justice” system?

  12. Rates
    Nov 10, 2017 at 12:43 pm

    What’s funny is that my credit score jumped 100 points on Equifax ……

    My credit is now fantastic.

  13. raxadian
    Nov 10, 2017 at 1:49 pm

    So, how long until Equifax is forced to close down?

    • Lion
      Nov 10, 2017 at 6:48 pm

      My guess, Equifax will last until it can transfer its best assets to a new company.

  14. Enrique Bermudez
    Nov 10, 2017 at 1:54 pm

    This isn’t really my game as far as running money, but if it were I’d think EFX would be potentially subject to “discovery risk” and thus even more appealing of a potential short.

    Imagine class action suit 15 (of number infinity) stumbling onto a trail of these filth more or less illegally “monetizing” “customer” info in violation of its own “privacy policy.” Shifting consumer data via some indirect means and having someone else sell it, etc.

    To wit – many of the actors in the big data industry push the limits quite significantly here. The operative thinking being that “how on earth would anyone be able to dig through every bit of our correspondence/records and find this? That would take more or less the entire world suing us to happen!”

    Or (more likely) could even just be your rogue employee problem. Employee hoovers up the data and “monetizes” it himself. Well then. If nothing else that’s yet more cause of action pile-on right there.

  15. mean chicken
    Nov 10, 2017 at 2:54 pm

    Making the data available for hackers is probably an underhanded mechanism for this branch of criminal enterprise to drum up additional business for a stalled business model.

    Big data is commmonplace

  16. quack
    Nov 11, 2017 at 12:43 am

    The Equifax Data Breach: What to Do?

    Service temporarily unavailable

    The service you’re requesting is temporarily unavailable. We apologize for any inconvenience. We’ll be back up and running as soon as possible.

    Thank you for your patience.

  17. Rob
    Nov 11, 2017 at 12:54 am

    F@#k Equifax. They harvest us, just like every other entity does in this wonderful country called the US of A.

    • Gershon
      Nov 11, 2017 at 11:56 am

      “In reality, though, it was never about us and our economy at all. Today it is obvious that all of this had only one rationale: to raise up a class of supermen above us. It had nothing to do with jobs or growth. Or freedom either. The only person’s freedom to be enhanced by these tax havens was the billionaire’s freedom. It was all to make his life even better, not ours…

      We endure potholes and live in fear of collapsing highway bridges because our leaders wanted these very special people to have an even larger second yacht. Our kids sit in overcrowded classrooms in underfunded schools so that a handful of exalted individuals can relax on their own private beach.

      Today it is these same golden figures with their offshore billions who host the fundraisers, hire the lobbyists, bankroll the think tanks and subsidize the artists and intellectuals.

      This is their democracy today. We just happen to live in it.”

      Thomas Frank, We Built a Paradise For Offshore Billionaires

  18. Jim Graham
    Nov 11, 2017 at 3:52 pm

    “”Undisclosed number of “other lawsuits and claims allegedly arising out of the cybersecurity incident,” presumably including the $500,000-lawsuit filed by short seller Carson Block.””

    Those that shorted the stock should have ZERO STANDING.

    After all, they are just high stake gamblers that bet on the direction the stock markets are going to go – instead of betting on the ponies.

    • Nov 11, 2017 at 4:24 pm

      As he specifically pointed out, he didn’t short the stock.

Comments are closed.