Credit Reporting agencies (C.R.A), popularly known as credit bureaus, create credit reports that give a detailed sketch of an individual’s credit history. Credit reporting agencies get these details from businesses, credit card companies, banks, landlords, employers, etc., and not from the individuals themselves.
Equifax Inc., one of the largest consumer credit reporting agencies, said in a filing with the U.S. Securities and Exchange Commission in 2017 that there was a massive data breach that has cost it almost $2 billion. In a statement released by the credit bureau based in Atlanta, it said that since the cybersecurity incident was announced in September 2017, it has incurred a little above $1.7 billion in costs related to the incident itself, data security costs and incremental technology, insurance recoveries for losses connected to legal proceedings and government investigations, and other expenses. It agreed to a global settlement with 50 U.S states, the Federal Trade Commission, and the Consumer Financial Protection Bureau. This settlement cost the company $425 million, given to the individuals affected by the cybersecurity breach incident. The Apache Struts CVE-2017-5638 was the vulnerability that led to the breach.
The company lost $1.138 billion in net insurance and other expenses in 2019 alone. While in 2018, it lost $326.2 million in expenses. Losses also included $292.1 million for data security and technology, $3.9 for liabilities in the product, and $41.3 million in investigative and legal fees.
The government of the United States indicted four suspects for the hack, an act that revealed the personal and detailed information of millions of Americans. These people were suspected members of the Chinese military. These individuals allegedly hacked into the company’s computer networks, gained unauthorized access, and stole sensitive information of more than 150 million American citizens. The data leaked included: Driver’s license numbers, Addresses, Social Security numbers, names, and birth dates. In the filing, it stated that, at the period of the cybersecurity incident in 2017, it had $125 million of coverage in cybersecurity insurance, slightly above $7.5 million deductible used to reduce the exposure it might have to losses that were related to the cybersecurity incident. Also, it has received all reimbursements under the $125 million insurance policy since the public notice of the cybersecurity incident in 2017. These reimbursements were received before 2019. There was also maintenance of the officers’ and the directors’ insurance policy that recorded the maximum estimated recoveries around December 31, 2019.
Equifax also confirmed it received $3.5 billion in returns from revenue in 2019, which was 3% higher than its revenue from 2018 and also a net loss of $398.8 million, after comparing it with a profit of $299.8 for 2018. Sometime in January 2017, a federal judge in Atlanta approved a settlement of a lawsuit having class-action against Equifax Inc. by customers, which could potentially cost the company $3.8 billion.