Our holidays are over, but data breaches don't take holidays
Welcome back to everyone from summer holiday. Today I wanted to write about the impact of the recent Equifax data breach and the practical current (and potentially future) implications.
As a quick summary, there was a huge security breach at the credit reporting company Equifax (via a website vulnerability) that has exposed sensitive information, (Social Security numbers, addresses, credit card numbers, etc) of up to 143 million Americans, which is approximately 45% of the country. Up to 44 million UK citizens may also be impacted, as Equifax and its UK subsidiaries represent British clients including BT, Capital One and British Gas.
Avivah Litan, an analyst who monitors ID theft and fraud for the technology and research company Gartner said: "On a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data." It has been noted that the loss of personal data in this attack was significantly higher than that of the two now famous Yahoo data breaches.
The implications of this data breach will manifest themselves in the short, medium and long term. We will start with the short term:
Immediately after announcing the data breach, shares in Equifax stock dropped 13.7%, from 142.72 per share to 123.23 per share.
By calculating the change in Market Value (120,370,000 shares outstanding), we can see that this change in share price relates to an immediate $2.3 billion loss in value to the company and its shareholders. That is the clear representation of the short-term cost of a data breach.
In the medium term, things will not be looking any brighter. Raj Joshi, a senior analyst at Moody's, noted that the cyber attack is a negative credit factor for Equifax "because it will impede the company's solid earnings growth over the next three to four quarters and hurt its reputation as a custodian of consumer data for over 200 million consumers." This point is a an excellent illustration of something that we have mentioned many times here at Exate Technology. When it comes to data, it is all about trust.
Attorney Generals in at least five state attorneys general are already formally investigating the breach, and two class-action lawsuits have already been filed, claiming negligence on the part of Equifax in protecting sensitive data. In addition, the Consumer Financial Protection Bureau (who is authorized to take enforcement action) is also looking into the breach.
Longer term, there is the bigger issue of the EU General Data Protection Regulation ("GDPR") to worry about. Given that there was potentially a large number of UK citizen's data potentially compromised, the UK Information Commissioner's Office has been involved. ICO Deputy Commissioner James Dipple-Johnstone, said: "Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern."We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised." "In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens."
Let's highlight a few ways in which Equifax would be impacted under GDPR:
Fines: Up to 4% of global turnover, meaning that in the case of Equifax, the fine could be up to $112 million.
Class Action Lawsuits: In addition to the US lawsuits, UK citizens could also file a damages claim.
Notification: Data breaches under GDPR must be notified within 72 hours of being identified. In the case of Equifax, it took them over a month to reveal that an attack occurred. More disturbingly, three of its top executives, including the Chief Financial Officer, sold shares valued at almost $2 million two days after Equifax learned of the attack.
In conclusion, data breaches are the gift that keeps on giving. From loss of market value, to ongoing investigations (potentially leading to fines), to significant reputational risk and loss of trust, the impact of a data breach will be felt for many years.
Protect the data - avoid the fines.