“It is not possible to estimate the amount of loss or range of possible loss.”
Equifax reported that revenue ticked up 4% year-over-year in the third quarter to a less-than expected $835 million and that net income plunged 27% to $96 million due to the initial costs related to the most damaging consumer data hack in US history. But it also disclosed in the fine print of its SEC filing just what a legal and financial nightmare it is getting into over what it calls the “cybersecurity incident.”
The “cybersecurity incident” occurred in mid-May, was discovered in July, and was first disclosed on September 7. Its dimensions have since expanded. It compromised the personal-data crown jewels, including Social Security numbers, of 145.5 million US consumers, credit card numbers of 209,000 US and Canadian consumers, “certain dispute documents with personal identifying information” for 182,000 US consumers, personal information of 8,000 Canadian consumers, and personal information of at least 690,000 UK consumers.
The initial expenses related to the “cybersecurity incident” were an undramatic $27.3 million. But that’s just the timid beginning.
Then the costs related to the “free credit file monitoring and identity theft protection” will likely range between $56 million and $110 million. And that too is just the beginning.
The biggie? Litigation, Claims, and Government Investigations.
“Over 240” class action lawsuits by consumers against Equifax in US federal and state courts and in Canadian courts. The plaintiffs “generally … assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, and other related relief.”
Undisclosed number of class action lawsuits by financial institutions against against Equifax. They “allege their businesses have been placed at risk due to the cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims.” These suits seek compensatory damages and “other related relief.”
Undisclosed number of “putative class action lawsuits” by shareholders against Equifx and “certain” of its current and former officers and directors. They allege “violations of the federal securities laws in connection with statements regarding our cybersecurity systems and controls” and are seeking “unspecified monetary damages, costs and attorneys’ fees.”
Undisclosed number of “other lawsuits and claims allegedly arising out of the cybersecurity incident,” presumably including the $500,000-lawsuit filed by short seller Carson Block.
Government entities are getting restless.
US federal, state, and city government agencies, and governmental agencies and officials in the Canada and the UK are investigating among other things, how the cybersecurity incident “occurred, the consequences thereof, and our response thereto.” They’re “seeking information and/or documents, including through Civil Investigative Demands.” And they “may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties….”
The restless entities in the US include:
- The 50 state Attorneys General offices and the District of Columbia and Puerto Rico. The Attorney General of Massachusetts has already filed a civil enforcement action.
- The City of San Francisco and the Chicago City Council have filed lawsuits “alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud, and breach notice requirements and business practices.”
- The Federal Trade Commission (FTC).
- The Consumer Finance Protection Bureau (CFPB)
- The SEC and the US Attorney’s Office for the Northern District of Georgia have sent subpoenas to Equifax “regarding trading activities by certain of our employees in relation to the cybersecurity incident.”
- The New York Department of Financial Services
- The New York Department of State – Division of Consumer Protection
- “Other US state bank regulators”
- The Financial Industry Regulatory Authority (FINRA)
- “Certain Congressional committees” of the Senate and House of Representatives.
Outside the US:
- The UK’s Financial Conduct Authority (FCA). Its Enforcement Division has opened an investigation into Equifax’s UK subsidiary.
- The UK’s Information Commissioner’s Office
- Canada’s Office of the Privacy Commissioner.
And more hounding may come:
Additional lawsuits and claims related to the cybersecurity incident may be asserted by or on behalf of consumers, customers, shareholders or others seeking damages or other related relief and additional inquiries from governmental agencies may be received or investigations by governmental agencies commenced.
Equifax doesn’t know how much it’ll cost.
But it could be big — and “have an adverse effect on how we operate our business or our results of operations.”
It is not possible to estimate the amount of loss or range of possible loss, if any, that might result from adverse judgments, settlements, penalties or other resolution of the above described proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.
Unknown “Future Costs” associated with the “cybersecurity incident” beyond the judgements, penalties, fines, and the like, include:
- “Significant” legal and other professional services expenses.
- Increased expenses and capital investments for IT and security.
- Increased expenses for insurance, finance, compliance activities, and to meet increased legal and regulatory requirements.
- Increased costs to provide free services to consumers including “increased customer support costs.”
There will be “other risk factors,” in addition the legal risks:
“Our remediation and security and IT enhancement efforts will be costly and may not be effective,” it said. Plus, the fiasco “has had a negative impact on our reputation” [no kidding!], and may have “a long-term effect on our relationships with our customers, our revenue and our business.”
Worst of all, this unwanted attention by government agencies and the courts could hamper its business of collecting and monetizing consumers’ personal data (remember, the consumer is the product):
The governmental agencies investigating the cybersecurity incident may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs and/or otherwise require us to alter how we operate our business.
Where there’s a crisis, there’s opportunity – for fraudsters. Here are some of the Equifax scams now underway – and how to protect yourself. Read… Beware – the Equifax Scams Are Coming
Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.
Ideas for the common folk.
– Credit freezes on the big three agencies
– IRS PIN security for filing taxes
– Minimal to no social media footprint
– Pay cash as much as possible
sage advice 2banana: don’t know why they don’t implement 2 step verification on opening a new credit account. Also the freeze charges are ludicrous and must amount to a significant boast to revenues for the reporting agencies. Maybe it’s time to reevaluate the effectiveness of online systems in light of all the billions of dollars of loses. Critical infrastructure systems should be decentralized and taken offline.
You need to be able to get credit checked for a lot of low-income housing, work opportunities, etc. Plus I think you’ve really got to have a pool of cash outside the banking system entirely to make “Pay cash as much as possible” a genuine privacy enhancement. If you’re getting paid by a corporate employer it’s probably direct deposit, and if you don’t have some savings, you’re going to be making enough trips to the ATM to generate a pretty good record of what your cash outlays were. Of course these days lots of people have grey and black cash income streams, too, but there are still lots of “common folk” without much of either.
Equifax may end up like Tepco.
Kept alive by the State, as the State cant afford to/dosent want to, pick up the tab, if it is allowed to go under.
They seem pretty redundant since Experian and Transunion also exist.
Equifax is already back on its feet…Quarterly earnings are up 6%.
Sure, they ignored $90M in breach costs, but those were one-time costs and not likely to repeat or continue to affect their business going forward.
Gotta love adjusted earnings–Pass out the executive bonuses!
Pending litigation and settlement cost 300% + the TOTAL value of the company???
No not relevant.
Read the first sentence of my article: quarterly net income PLUNGED 27%.
“Adjusted earnings” – which I didn’t mention because it’s a fake number and doesn’t merit a mention – rose 6%. To get there, Equifax removed the initial costs of dealing with the hack from this number. It’s a pure BS number.
I also linked its earnings report that it filed with the SEC (link is in the first paragraph). You can check out the actual numbers on it.
Post was intended as tongue-in-cheek poke at the absurdity of “adjusted earnings”–which I know Wolf’s feelings on. Apparently did not read dripping with as much sarcasm as in my head…
For executives to call a $90M tip-of-the-iceberg cost an anomaly, and collect a bonus, ought to be criminal.
Oooops. I’m a little slow sometimes
Negative feedback loop on Equifax as more company accounts are closed and Subscribe to their competitors. Stock will break down.
Legal fees accelerating exponentially as regulatory investigations kick in.
And first waves of identity theft happening as this data base in dark web is matched with healthcare/OPM files
Regardless of one’s perception of effects of the loop (e.g. as negative), the loop you are describing amplifies the effects further and further, hence it is a ‘positive feedback loop’:
Every update on this story reinforces my relief I froze my credit right after reading Wolf’s initial report.
Vichy Chicago, I agree with you whole heartedly. Wolf did us (his readers) a big favor with that suggestion.
It got a lot harder a few days later for people to get in to the sites and the companies were making it more difficult to make the change. Plus, at my age, I’m not planning on borrowing money or changing my credit card situation and it does make a lot of sense.
Wolf seldom makes recommendations to his readers but this one was right on the spot. Enjoyable site, great author.
The lawyers will be the winners.
You can bet on that! They are salivating. DocT
I see another Arthur Andersen in the making.
Or, in the unmaking, as the case may be.
It’s enough to make you nostalgic for naked shorts. Those were the days.
No matter how gross the negligence, no CEO need ever fear criminal consequences in our crony capitalist wonderland with its complicit or asleep-at-the-switch regulators and enforcers.
Well, the CEO got fired, I mean “retired effective immediately,” a short while after the hack was disclosed. So that’s a mini-step in the right direction.
We do have to remember that Equifax was a victim of this crime (the hack). But it was allegedly grossly negligent in protecting itself and our data and it completely blew how it handled the fiasco.
to spend moer time with family and pursue other interests? :)
Changing CEOs is positive, so what price do we buy this stock?
Unless you want to have a loss to counter any profits you made on stocks you sold to fund your Equifax stock purchase.
You can see pretty easily that “national security” is the issue here, quasi bailouts and nationalizing of the system are next. More government intrusion is likely, it’s mostly their data at risk, (SSN, DL,etc). My thought is to buy the stock of these companies on weakness.
I froze my credit on Equifax, Experion, and TransUnion this week in about 15 minutes for all three. I paid a $10 fee for Experion and TransUnion.
People were having some problems doing this earlier, but it looks like they’ve improved the process a great deal.
After I read Wolf’s warning at this site, I immediately froze all of my credit accounts and at that time there was no charge.
I also froze all 3 of mine after Wolf’s warning and also took heed his other warning to not pay a dime to institute the freezes..
Interesting point though. After freezing Equifax, was still able to monitor my credit score through my banking account. No clear reason but score is dropping like a rock. Any idea why other than retribution? Illegal?
If your credit score is dropping and you don’t know why, you might want to check into it. Even with a credit freeze, you can still get your annual free “credit report.” This is much more than a “credit score”… it shows all the credit transactions on file… there may be bad data on it or there may be another problem). Here’s how:
All together now! “Drain the swamp” aka “Change you can believe in”. Snark!
Congress votes to disallow consumers from suing Equifax and other companies with arbitration agreements – Oct 24, 2017
The Senate voted late Tuesday night to strike a federal rule that would have allowed consumers affected by the Equifax hack to sue the company. Without it, the millions affected by the historic security breach may be disallowed from related joining class action lawsuits. This specific rule, and only this rule, would be nullified if the joint resolution is signed by the President.
The vote was 50/50, with the tie-breaking yea cast by Vice President Pence.
The rule in question was entered into the Federal Register by the Bureau of Consumer Financial Protection in July; it prevents financial companies that bind their users by arbitration agreements from prohibiting those same users from suing as a class.
This breach is one of the biggest atrocities in decades. Laws allow a company to hold your personal financial data without your permission and without paying you to hold it. Then can sell this data to others. Wow what a business.
But this same company uses a third rate cyber protection software system, and when notified about their software venerability fails to adequately correct the defect. Then one step deeper they travel as their software to detect the correction also fails. Finally they fail to notify those whose data was breached in a timely manner. How can executives of this company walk away without paying fines. They failed miserably over the years in the systems which were instituted as the protection of this data was not a priority.
Why do we need three credit agencies? Seems to me this company should be fined and or sued out of existence.
“How can executives of this company walk away without paying fines.”
Let’s see, what can be said about that? All animals are equal but some are more equal than others… and something about bought government and a two-tiered “justice” system?
What’s funny is that my credit score jumped 100 points on Equifax ……
My credit is now fantastic.
So, how long until Equifax is forced to close down?
My guess, Equifax will last until it can transfer its best assets to a new company.
This isn’t really my game as far as running money, but if it were I’d think EFX would be potentially subject to “discovery risk” and thus even more appealing of a potential short.
To wit – many of the actors in the big data industry push the limits quite significantly here. The operative thinking being that “how on earth would anyone be able to dig through every bit of our correspondence/records and find this? That would take more or less the entire world suing us to happen!”
Or (more likely) could even just be your rogue employee problem. Employee hoovers up the data and “monetizes” it himself. Well then. If nothing else that’s yet more cause of action pile-on right there.
Making the data available for hackers is probably an underhanded mechanism for this branch of criminal enterprise to drum up additional business for a stalled business model.
Big data is commmonplace
The Equifax Data Breach: What to Do?
Service temporarily unavailable
The service you’re requesting is temporarily unavailable. We apologize for any inconvenience. We’ll be back up and running as soon as possible.
Thank you for your patience.
F@#k Equifax. They harvest us, just like every other entity does in this wonderful country called the US of A.
“In reality, though, it was never about us and our economy at all. Today it is obvious that all of this had only one rationale: to raise up a class of supermen above us. It had nothing to do with jobs or growth. Or freedom either. The only person’s freedom to be enhanced by these tax havens was the billionaire’s freedom. It was all to make his life even better, not ours…
We endure potholes and live in fear of collapsing highway bridges because our leaders wanted these very special people to have an even larger second yacht. Our kids sit in overcrowded classrooms in underfunded schools so that a handful of exalted individuals can relax on their own private beach.
Today it is these same golden figures with their offshore billions who host the fundraisers, hire the lobbyists, bankroll the think tanks and subsidize the artists and intellectuals.
This is their democracy today. We just happen to live in it.”
Thomas Frank, We Built a Paradise For Offshore Billionaires
“”Undisclosed number of “other lawsuits and claims allegedly arising out of the cybersecurity incident,” presumably including the $500,000-lawsuit filed by short seller Carson Block.””
Those that shorted the stock should have ZERO STANDING.
After all, they are just high stake gamblers that bet on the direction the stock markets are going to go – instead of betting on the ponies.
As he specifically pointed out, he didn’t short the stock.