It’s been just over two months since Equifax disclosed that it had been the victim of a “cybersecurity incident” that exposed the personal information of 145.5 million U.S. consumers.
Since then, the fallout from the data breach has been extensive, to say the least.
The company is currently facing inquiries from the Consumer Financial Protection Bureau, the Federal Trade Commission, the House Financial Services Committee, the Senate Finance Committee, the office of New York Attorney General Eric Schneiderman, the New York Department of Financial Services, and lawsuits from the state of Massachusetts, the city of San Francisco, and the city of Chicago.
The breach also cost three Equifax executives their jobs. Equifax CEO and Chairman of the Board, Richard Smith, “retired,” just two weeks after two of the executives charged with the security of Equifax’s credit data also “retired.”
But now, for the first time, the company is detailing the full fallout from the breach.
On Thursday, Equifax reported its third quarter earnings, and both the earnings release and the accompanying filing with the Securities and Exchange Commission are chock full of details about the consequences from the breach, to this point.
According to Equifax, the company is facing much more legal and regulatory trouble than previously reported.
In its SEC filing, Equifax revealed that more than 240 class action lawsuits have been filed by consumers against the company in federal, state and Canadian courts.
Other class actions have been filed by financial institutions that state that their businesses have been placed at risk by the breach, and claim negligence and breach of contract against Equifax.
Equifax said that it is asking for the cases to be consolidated and transferred to a single U.S. District Court so the company can fight the allegations.
“We dispute the allegations in the complaints described above and intend to defend against such claims,” the company said in its SEC filing.
Beyond the class action lawsuits, Equifax is facing inquiries from just about every regulator one could think of.
According to the company, it is cooperating with “federal, state, city and foreign governmental agencies and officials investigating or otherwise seeking information and/or documents, including through Civil Investigative Demands.”
Included among the agencies asking for information are: All 50 state Attorneys General offices, along with the District of Columbia and Puerto Rico; the FTC; the CFPB; the SEC; the New York Department of Financial Services; the New York Department of State - Division of Consumer Protection; other U.S. state bank regulators; the Financial Industry Regulatory Authority; certain Congressional committees of both the Senate and House of Representatives; the United Kingdom’s Financial Conduct Authority; the Information Commissioner’s Office in the United Kingdom; and the Office of the Privacy Commissioner of Canada.
But that’s not all.
In addition to the lawsuits from Massachusetts, Chicago, and San Francisco, the company also received subpoenas from the SEC and the U.S. Attorney’s Office for the Northern District of Georgia regarding potential insider trading activities allegedly perpetrated by several Equifax executives, although the company said recently that the trades in question were on the up and up.
And the fallout isn’t limited to legal and regulatory troubles.
Equifax’s bottom line also took a big hit in the third quarter.
The company reported Thursday that its net income was $96.3 million in the third quarter, which is down 27% compared to the third quarter of last year.
Overall, the company’s revenue was actually up by 4% year-over-year, rising to $834.8 million in the third quarter of 2017, but the financial costs already borne by the company in the wake of the breach held back its earnings.
The company said that during the third quarter, it recorded $87.5 million ($59.3 million, net of tax) for expenses related to the breach.
Those expenses included $55.5 million in “product cost,” $17.1 million in “professional fees,” and $14.9 in “consumer support.”
As far as expenses incurred in the third quarter, the company recorded $27.3 million of pretax expenses related to the breach.
The company said that it anticipates incurring additional costs in the estimated range between $56 million and $110 million due to the breach. The company said that it recorded a liability for the “low end in the range as we do not believe that any amount within the range is a better estimate than any other amount.”
And things could get worse.
From the obvious department, the company cautions the following in its SEC filing: “The cybersecurity incident has had a negative impact on our reputation, and we cannot assure it will not have a long-term effect on our relationships with our customers, our revenue and our business.”
In a statement, Paulino Barros, interim chief executive officer at Equifax, said that the company believes it is moving in the right direction and preparing to move beyond the breach.
“As we report our third quarter results, we recognize that we have an important journey in front of us to regain the trust and confidence of consumers and our business customers,” Barros said.
“Our teams have taken immediate actions to improve our data security and provide improved support for consumers who were impacted by our cybersecurity incident,” Barros continued.
“As we look to the future, I have committed Equifax to four things: protecting consumers, enhancing our security, empowering consumers to control access to personal credit data, and leading our industry to confront the massive economic and national security threats represented by cyber criminals,” Barros concluded. “I have high confidence in our global teams, and as we focus on these critical imperatives we will emerge from this an even stronger company.”