This week, Equifax reported in on the costs associated with its massive data breach. As you’ll recall, the data breach exposed personal information from approximately 145 million Americans. The company’s CEO stepped down less than three weeks after the hack.
Shortly after taking over, interim CEO Paulino do Rego Barros, Jr., apologized and promised consumers a new credit monitoring tool in 2018 which will allow people to lock and unlock their Equifax credit files at will.
On a conference call on Friday, Barros apologized again and said that executives will not receive bonuses this year. On Thursday, the company announced that its third-quarter profits were down 27 percent. On top of that, it recorded $87.5 million last quarter in costs related to the breach and it expects to write down another $60 to $75 million this quarter.
That wasn’t the only bad news for Equifax. Over 240 consumer class actions have been filed in U.S. federal and state courts and courts in Canada. Moreover, investigations have been initiated by a number of U.S. and foreign regulators.
The company also said on Thursday that it has now received subpoenas from the SEC and the U.S. Attorney’s Office for the Northern District of Georgia, which is where the company is based. It received the subpoenas just a week after it announced it had completed an internal review of stock sales that executives made shortly after the breach.
According to the Associated Press, four executives sold a combined total of $1.8 million in Equifax stock after the breach but before the public was notified of it. The suspiciously timed transactions could be viewed as insider trading. However, Equifax’s internal review by a committee of independent directors found that those executives had done nothing wrong.
Barros noted that both U.S. and foreign regulators had sent either subpoenas or requests for information and said that the company was cooperating in each case.
For consumers, especially, this litigation will be lengthy and complex. It’s true that information such as Social Security numbers, IDs, addressees and other personal information was exposed to hackers, and that Equifax made serious missteps in handling it. What is unclear at this point is how much financial damage was done.
The cat is out of the bag. Hackers appear to have permanent access to at least some of the information, and they may not use it right away. That means that the total amount in damage to each consumer may not be known for months or even years. Until the damage or a reasonable proxy can be calculated, the remedy — and the true extent of Equifax’s breach-related losses — remains unknown.