Equifax Says Cybersecurity Breach Has Cost $1.4 Billion

A year and a half ago, Equifax, which gathers consumers’ credit histories, revealed a massive security breach compromised the personal information of about 150 million people. 

Mike Stewart / Associated Press

Equifax, the Atlanta credit bureau, revealed in its earnings release Friday that dealing with its 2017 cybersecurity incident has cost about $1.4 billion plus legal fees.

A year and a half ago, the company, which gathers consumers’ credit histories, revealed a massive security breach compromised the personal information of about 150 million people.

The hack itself happened nearly two years ago, between May and July of 2017, a few months after the Department of Homeland Security informed the company of a software vulnerability.

Chief Executive Mark Begor said in a call with investors that the company has made progress since the 2017 breach, notably by reaching settlement agreements recently with some of the class action lawsuits and government investigators.

“This is a positive step forward for Equifax, as we work to put the 2017 cybersecurity event behind us,” he said, though he qualified they are pending court approval.

Begor also said the settlement terms include the creation of a single “consumer redress fund” to consolidate redress requests, for which the company advocated.

There are still many other lawsuits outstanding. The company has said hundreds of suits were filed against it since the breach, including more than 2,500 individual consumer plaintiffs, international and domestic class action suits, shareholder litigation and government lawsuits from states and cities.

The company already agreed to one consent order from some state banking regulators, and the breach remains under investigation from federal, state, city and foreign governmental agencies and officials.

The company said earlier this year that the Consumer Financial Protection Bureau and Federal Trade Commission had told Equifax the agencies do “intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident.”

While Equifax has undergone much internal restructuring, critics point out that no regulatory oversight of the industry has changed since the breach.

“Equifax still hasn’t paid a price two years after losing the financial DNA of 150 million Americans,” said Mike Lit, a national campaign director at the consumer advocate, U.S. Public Interest Research Group. “That’s why we need strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data.”

This week a group of Congressmen, including Massachusetts Senator Elizabeth Warren re-introduced legislation that proposes some of these regulatory changes and would impose mandatory increased penalties for future breaches.