- Equifax incurred $87.5 million in expenses related to the data breach disclosed in September, including costs to investigate and remediate the breach, in addition to legal expenses, according to the company's Q3 earnings report. But Equifax still saw Q3 revenue increase 4% year-over-year to $834.8 million.
- The costs of the breach are not over yet. While Equifax said it expects to incur more cybersecurity-related costs in coming quarters, its pending legal battle could prove the most costly. Following the breach, consumers and some financial institutions have filed more than 240 class action suits against Equifax in federal, state and Canadian courts, Equifax disclosed in quarterly SEC filings. Motions to consolidate the cases are in place.
- The earnings announcement came shortly after Equifax's interim CEO, Paulino do Rego Barros Jr., and former CEO, Richard Smith, testified before a Senate committee about consumer protection amidst data breaches. At the hearing, Smith said Equifax did not encrypt its data when the breach occurred, TechTarget reports. But when asked if data was still unencrypted at rest, Barros said, "I don't know at this stage."
Fall out from the Equifax breach will continue in the coming months and quarters as the company works to revamp its technology portfolio. While Barros has appointed a chief transformation officer to oversee breach resolution, some damage is irreparable, particularly when it comes to reputation.
What is going to be key for Equifax in its recovery is the ability to answer the hard questions. As the legal impacts continue, Equifax will have to fully understand the scope of its technology portfolio and know whether encryption is in place. "I don't know," won't necessarily cut it in court.
The Equifax breach is not a unique incident. Neither was the Yahoo breach. The only thing that sets these breaches apart is the scope of impact, and, in Equifax's case, the sensitivity of the data.
Though the company is facing legal cases and dings to its reputation, until it faces a greater financial impact, the company may not be as incentivized to make systematic upgrades to its security posture.
Unless there are more serious consequences to data breaches, other companies may not be motivated to change.