Data broker Equifax said that the data breach that spilled information on some 140 million individuals has cost the company $87 million so far, with more costs likely in the future.
The disclosure, made as part of the company’s quarterly filing with the US Securities and Exchange Commission, is the first public disclosure of the direct costs of the incident, which saw the company’s stock price plunge by more than 30% and wiped out billions of dollars in value to shareholders.
Equifax said that it recorded $87.5 million in expense related to the cybersecurity incident in the third quarter of 2017. But its worth digging into that number to sort out real from anticipated costs.
Around $55.5m of the $87.5m in breach related costs stems from Product costs. Professional fees added up to another $17.1m for Equifax and consumer support costs totaled $14.9m, the company said.
Equifax also said it has spent $27.3 million of pretax expenses stemming from the cost of investigating and remediating the hack to Equifax’s internal network as well as legal and other professional expenses.
But the costs are likely to continue. Equifax is estimating costs of $56 million to $110 million in “contingent liability” in the form of free credit monitoring and identity theft protection to all U.S. consumers as a good will gesture. The costs provided by Equifax are an estimate of the expenses necessary to provide this service to those who have signed up or will sign up by the January 31, 2018 deadline. So far, however, the company has only incurred $4.7 million through the end of September.
So, while the upper bound of those contingent liability costs is high, there’s good reason to believe that they will never be reached. As we’ve reported, free credit checks and other make nice gestures by breached firms are rarely adopted by affected consumers, many of whom may not know whether their information was exposed in a breach, or who feel too overwhelmed to take advantage of the offer.
Data from Experian finds that fewer than one in ten consumers who have had personal information exposed in a major breach take advantage of free credit monitoring services offered by the breached company. And the bigger and more high-profile the breach, the less likely consumers are to take advantage of it.
That’s a phenomenon that Michael Bruemmer, the Vice President of Consumer Protection at Experian (Equifax’s rival) called “breach fatigue.” It’s likely to play a role in consumers’ response to the Equifax breach, which was widely reported.
Still, Equifax cited other risk factors to its bottom line from the incident including “resulting government investigations, litigation and other impacts on our business and results of operations.” That suggests the costs stemming from the breach haven’t all been recorded.