Equifax’s massive 2017 data breach, which compromised the personal information of more than 147 million consumers, could turn out to be the most costly in corporate history.
The credit reporting bureau disclosed Friday that it expects to incur another $275 million this year in costs related to the hack, bringing the total to $439 million through the end of 2018.
“It looks like this will be the most expensive data breach in history,” Larry Ponemon, chairman of Ponemon Institute, a research group that tracks costs of cyber attacks, told Reuters.
He said total costs could be “well over $600 million,” including costs to resolve government investigations into the incident and civil lawsuits against the firm.
Equifax CFO John Gamble said in an earnings call that the company incurred $164 million in nonrecurring costs related to the hack, offset by $50 million in insurance coverage. The money was spent on legal and forensic investigations and other professional services.
In 2018, he said, “we are expecting approximately $200 million of net incremental IT and data security project costs and legal and professional fees … to address the litigation and governmental and regulatory investigations related to the cybersecurity incident.” Insurance is expected to cover $75 million of the expense.
Equifax also last week reported fourth-quarter profit that topped Wall Street forecasts and disclosed that it uncovered an additional 2.4 million U.S. consumers whose data was stolen in the attack.
According to Gamble, the breach negatively impacted revenue by 3.5% in the quarter.
As Reuters reports, the company said in September that hackers had stolen personally identifiable information of U.S., UK and Canadian consumers, including names, Social Security numbers, birth dates, addresses driver’s license and credit card numbers.
“That disclosure prompted outrage from politicians and consumer advocates around the world, a string of government probes into company and the departure of top executives,” Reuters said.
Equifax warned in a regulatory filing on Thursday that further analysis could identify more consumers or additional types of data stolen in the hack. It remains the largest known data breach of personal information in history.