NEW YORK/TORONTO (Reuters) – Equifax Inc (EFX.N) said it expects costs related to its massive 2017 data breach to surge by $275 million this year, suggesting the incident at the credit reporting bureau could turn out to be the most costly hack in corporate history.
The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.
“It looks like this will be the most expensive data breach in history,” said Larry Ponemon, chairman of Ponemon Institute, a research group that tracks costs of cyber attacks.
Total costs of the breach, which compromised sensitive data of more than 147 million consumers, could be“well over $600 million,” after including costs to resolve government investigations into the incident and civil lawsuits against the firm, he said.
Equifax on Thursday reported fourth-quarter profit that topped Wall Street forecasts and disclosed that it uncovered an additional 2.4 million people whose data was stolen in the attack.
Its shares rose nearly 4 percent to $115.82 on Friday on the higher-than-expected earnings. They have lost about a quarter of their value since Equifax disclosed the incident in early September.
Equifax said in September that hackers had stolen personally identifiable information of U.S., UK and Canadian consumers, including names, Social Security numbers, birth dates, addresses driver’s license and credit card numbers.
That disclosure prompted outrage from politicians and consumer advocates around the world, a string of government probes into company and the departure of top executives.
Equifax warned in regulatory filing on Thursday that further analysis could identify more consumers or additional types of data stolen in the hack.
This year’s costs include technology and security upgrades, legal fees and free identity theft services to consumers whose data was stolen, the company said in a conference call.
(This story corrects fourth paragraph to show that breach compromised data of more than 147 million consumers, not 247 million consumers.)
Reporting by John McCrank in New York and Jim Finkle in Toronto; editing by Chizu Nomiyama and Meredith Mazzilli