Equifax Data Breach Settlement Finalized – Lessons on Cyber Risk

February 9, 2022  Justin Theriot

News - Risk AnalysisOffers for free credit monitoring are going out this month, finalizing the settlement for the 2017 data breach at Equifax that exposed the personal information of 147 million people. Let’s put this in perspective with findings from the data science program at RiskLens. 

The RiskLens data science team has aggregated data on 18,000 data breaches from Advisen and other trusted data suppliers and applied Factor Analysis of Information Risk (the FAIR™ model that powers the RiskLens risk analytics platform) and Monte Carlo simulation to derive a detailed look at the frequency and impact of data breaches with unprecedented visibility into the differences among industries, geographic locations, record counts, types of loss and other parameters.

Author Justin Theriot is Principal Data Scientist at RiskLens

Some insights based on our research (dollar figures are inflation-adjusted):

Equifax is paying or has paid an estimated

$812 million in fines and judgments (F&J) from regulators or court cases

$417 million in secondary response costs (SRC) for settlements, credit monitoring, legal defense costs, etc.

>>Equifax was #3 for SRC among cyber incidents in recent years after #1 US Office of Personnel Management at $1.17 billion (hack of PII announced in 2015, leading to payments to federal employees for privacy violations), #2 Facebook at $757 million (for settlement of the 2010 lawsuit over facial recognition technology).

>>Equifax was #2 for F&J behind Facebook – the Federal Trade Commission hit the social media company with a massive $5 billion fine for the 2018 Cambridge Analytica data leak case.

>>Equifax was #2 in lawsuits filed, behind Home Depot (2014, PCI data breach) : 72 vs. 84. 

Our research and analysis identified the factors why Equifax accrued such large financial losses:

1. The company is based in the US where fines and judgements run high:  275% more costly than comparable cases in the EU.

2. The company is in the financial sector – that increases F&J 80% over other industries because of tighter regulations.

3. The breach was an external attack (by Chinese military actors, according to the US government); F&J go up by 52% for external attack vs. an internal error.  

4. The breach was malicious which causes SRC to run 130% higher in the US vs. the EU.

Our research has a direct application for the users of the RiskLens platform. Through loss tables, data helpers and pre-packaged risk scenarios, clients can instantly access curated, industry-specific, credible data that greatly reduces risk analysis time – as we like to say, clients should put their time into data selection not data collection. Our data science also supports new products like RiskLens Pro, a managed service for clients with limited staff or budget and seeking quarterly reports on their top risks, trends in loss exposure and ROI on security investments. 

Read more about RiskLens data science in this research synopsis.


Just-in-Time Data for Fast, On-Demand Cyber Risk Assessments

RiskLens Estimates Probable Cost of T-Mobile Data Breach