What is the Cost of a Breach - $700m or $4?

Capital One just announced a cyber breach exposing the personal information of 100 million customers. Meanwhile, a $700 million settlement was recently reached in relation to Equifax’s data breach, where the personal information of 147 million individuals was improperly accessed in 2017. That $700m figure, however, amounts to a fee of $4 per impacted individual.

With respect to Equifax, per a summary of events released by the Federal Trade Commission (FTC), Equifax’s security team received a US-CERT alert notifying them of a critical vulnerability in open-source software used to build web applications. This alert was forwarded internally with instructions to patch affected systems within 48 hours, in accordance with the company’s Patch Management Policy. Equifax performed an internal vulnerability scan to identify affected systems, however – the scan was inadequate and did not identify all systems requiring the software patch.

According to the FTC complaint, the company used an improperly configured automatic scanner that failed to detect the vulnerability within the company’s Automated Consumer Interview System (ACIS). It took months for Equifax to detect the ‘open sesame’ vulnerability in its systems. It was also alleged that they had no process to validate that the patching had been successfully completed, that they stored administrator credentials in plain-text files, and failed to update expired security certificates - all of which contributed to the breach, which included names, dates of birth, and Social Security numbers.

Equifax has agreed to pay at least $575m - and up to $700m - as part of a global settlement with the FTC, the Consumer Protection Bureau (CFPB), and 50 U.S. states and territories. $175m will be paid to the 48 states, the District of Columbia and Puerto Rico, in addition to $100m to be paid to the CFPB in civil penalties. $300m will be allocated to a fund to provide affected customers with credit monitoring services and compensate individuals who had already bought credit monitoring or incurred out-of-pocket expenses as a result of the breach. An additional $125m is to be added to this fund if it does not prove sufficient to compensate customers for their losses.

With affected individuals numbering in the range of 147 million, these settlement figures amount to $4 per individual at the low end ($575m), still hovering below $5 if they are called upon to dispense the entire $125m reserve fund.

While the maximum $700m settlement figure is certainly not insubstantial, and could be crippling to firm without Equifax’s $3.5 billion revenues - it still gives us pause to note that the total payout, on a per capita basis, represents a Starbucks run for those affected by the loss of their highly sensitive private financial and personally identifying information. Sorry about losing your SSN – can I get you a latte?