Moody’s has cut its rating outlook for Equifax in consideration of a disastrous security breach which led to the theft of over 146 million user records.
A 2017 data breach is the cause of the financial fallout. Individuals from the US, Canada, and the United Kingdom were informed that their information had been exposed, potentially including the theft of names, social security numbers, birthdates, home addresses, and partial driving license details.
The Apache Struts Project Management Committee said at the time the attackers behind the breach “either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time.” Equifax revealed an unpatched system was at fault, despite the bug’s disclosure and a patch being made available two months before the data breach occurred.
In other words, the data breach was preventable, a fact that haunts Equifax to this day.
The failure to patch the problem has been an expensive lesson for the company, not just in terms of its battered reputation, but in cold, hard cash and results on the balance sheet.
Moody’s cited a legal expenditure charge of $690 million in the first quarter as a reason for the downgrade. However, the cost to Equifax is far more substantial, with Q1 2019 earnings also revealing $786.8 million in general costs due to the data breach, $82.8 million in data security costs, $12.5 million in legal fees, and $1.5 million in product liability charges, as noted by IT Pro.
“We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change,” Joe Mielenhausen, a Moody’s spokesperson told CNBC. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
The financial ramifications of lax patch processes are now proving to be an ongoing strain and burden on Equifax. The company is also facing class-action lawsuits and regulatory scrutiny — which may, in turn, lead to additional fines and penalties in the future.
These problems have a knock-on impact which has now entered investor territory, as traders and shareholders will often examine rating outlooks and creditworthiness reports provided by companies such as Moody’s to ascertain the long-term prospects of an organization.
Cyber risk and cyber insurance are relatively new entrants to investor considerations but ones that cannot be ignored.
The consequences of a major security incident or data breach can now have a long-term financial impact for a victim company and so the responsibility now lies on corporations to strengthen their security practices as much as possible to mitigate the risk of attack — as well as reduce the risk to investors.
Equifax serves as a lesson in why boards should sign up to proactive security defense rather than consider security as a budgetary afterthought. However, despite the credit rating company’s efforts to improve its security and prevent such a data breach from ever happening again, the millions of dollars now spent on shoring up security is also a financial burden and one that Moody’s cannot ignore.
“Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach,” the company added.
ZDNet has reached out to Equifax and will update if we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0