The Department of Justice may think it knows who hacked Equifax and exposed the sensitive personal information of 148 million U.S. consumers, but that doesn’t mean the breach is behind Equifax quite yet.
In fact, the credit reporting agency disclosed this week that it expects to pay out an additional $100 million for its role in the breach.
Last year, the company set aside then agreed to pay out nearly $700 million to settle numerous federal and state investigations.
But the company revealed this week in its fourth-quarter earnings report that it set aside another $99.6 million in the fourth quarter for “certain legal proceedings and government investigations related to the 2017 cybersecurity incident.”
According to the company, it believes this accrual will cover the remainder of its expected payouts for the breach. More specifically, the company said it “represents completed settlements and our best estimate of remaining liabilities for the U.S. matters related to the 2017 cybersecurity incident.”
All in all, the company set aside just over $800 million for breach-related payouts in 2019, which does not include the company’s legal or professional services expenses.
Beyond that, the company spent an additional $337 million in 2019 on technology and data security, legal and investigative fees, and product liability for the breach.
In total, the breach cost Equifax $1.14 billion in 2019 alone.
Overall, the breach cost Equifax more than $1.7 billion since it was first disclosed in 2017.
According to Equifax, at the time of the breach, the company had $125 million in cybersecurity insurance coverage. The company has long since received the maximum reimbursement of $125 million on that insurance policy.
The company also cautions that despite its current belief that this $100 million will cover all its “remaining liabilities,” it is possible that its financial punishment is not over yet.
“While it is reasonably possible that losses exceeding the amount accrued will be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations related to the 2017 cybersecurity incident based on a number of factors, such as the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues,” the company said in its earnings statement.
“The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the company’s consolidated financial condition, results of operations, or cash flows in future periods,” the company added.