Given that Equifax is the firm behind what was arguably the most comprehensive and damaging breach in U.S. history — a breach that left the consumer data of 145.5 million people up for sale on the dark web — the rational assumption would have been that its Q3 earnings report was probably going to take a hit.
And it did. A big one.
In fact, among the reveals during the earnings report is that Equifax has already paid out $87.5 million in expenses due to the hack this quarter — and that that august sum is likely the tip of the iceberg. The rest of that iceberg, however, is submerged — and Equifax admitted during earnings that at this point it is not even possible for the firm to estimate how much more spending to clean up their breach remains still under the surface.
They were, however, able to offer an estimate for how much providing all that free credit monitoring will cost them — between $56 million and $110 million.
And, in the most disturbing possible reveal, Equifax also noted that however expensive and damaging this hack was — more could in fact be on the way.
"We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again,” it said in a quarterly filing with the Securities and Exchange Commission.
Not what anyone wanted to read — and something that could easily see Equifax find a way to lose even more business than it already has.
“They need to be able to nail those pieces and have a clear explanation of what happened and how they solved it,” said Eric Johnson, dean of Vanderbilt University’s Owen Graduate School of Management. “I think they can get there, but they aren’t there now.”
Johnson further estimated the costs from the breach will total in the hundreds of millions of dollars, but that could be something on the order of pocket change when compared to the amount of revenue they are set to loose.
An effect that was already quite observable during their Q3 reporting.
“We believe that certain of our customers have determined to defer new contracts or projects unless and until we can provide assurances regarding our ability to prevent unauthorized access to our systems and the consumer data we maintain,” it said in the SEC filing.
Assurance, notably, that Equifax and interim CEO Paulino do Rego Barros are still failing to provide. Mark Rasch, a former U.S. federal cybercrimes prosecutor who advises businesses on responding to breaches, noted that Equifax needs to get its act together on this topic — yesterday.
“What I want to know is ‘How did they get in?’ and ‘How are they preventing hackers from getting in the future?’ They haven’t answered those questions,” said Rasch.
And their earnings results showed that the markets are ready to punish them for it.
Equifax reported third-quarter revenue of $834.8 million, missing analysts’ average estimate of $845.94 million. Net income was also a miss — falling to $96.3 million, or 79 cents per diluted share, down from $132.8 million, or $1.09 per diluted share, a year earlier.
Shares in Equifax fell some as the earnings were reported after the closing bell, consistent with the trend for the back half of 2017. The credit monitoring firm has seen its stock price bleed off 25 percent since the hack was announced in September of this year.