Data breach bill for Equifax up to $1.4 billion

Equifax has now spent almost $1.4 billion in its bid to address the fallout of a record-breaking breach that hit the credit ratings agency’s systems two years ago.

The costs sit apart from further major expenditures being made as the firm overhauls its IT security programme to meet new standards in data protection and privacy.

Last week, Equifax publicised financial readings from the first three months of 2019, reporting a loss of $555.9 million against a net income of $90.9 million for the same timeframe of last year.

The Atlanta-based company’s quarterly revenue fell by $846.1 million, down 2% in comparison with the first quarter of 2018.

The data breach at the root of the damage compromised the personal data of 148 million US citizens – over half (56%) of the nation’s adult population, and almost half of the nation’s entire population.

The incident, which also exposed the data of around 15 million UK citizens, and around 20,000 Canadians, prompted investigations by Congress as well as data protection authorities in Canada and the UK. It caused dozens of legal cases, dragged in state attorney generals, and forced Richard Smith to step down from his then position of Equifax CEO, followed by two of the firm’s high-ranking IT executives.

A subsequent report concluded that the breach had been “entirely preventable”, while a Senate report last month said that Equifax’s response to the breach had been inadequate and “hampered” by “neglect of cybersecurity.”

Equifax says it has now amassed $1.35 billion in costs as a result of the breach, factoring in incident response and new tech initiatives and data security improvements.

“Costs related to the 2017 cybersecurity incident are defined as incremental costs to transform our IT infrastructure and data security; legal fees and professional services costs to investigate the 2017 cybersecurity incident and respond to legal, government and regulatory claims; as well as costs to provide the free product and related support to the consumer,” the firms says.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.