Equifax rating outlook decimated over cybersecurity breach

A Moody’s downgrade shows that poor security can have severe financial fallout.
Written by Charlie Osborne, Contributing Writer

Moody's has cut its rating outlook for Equifax in consideration of a disastrous security breach which led to the theft of over 146 million user records.

The capital markets and investment firm decided to reduce its Equifax outlook from stable to negative this week, as first reported by CNBC.

A 2017 data breach is the cause of the financial fallout. Individuals from the US, Canada, and the United Kingdom were informed that their information had been exposed, potentially including the theft of names, social security numbers, birthdates, home addresses, and partial driving license details.

A well-known vulnerability in Apache Struts, CVE-2017-5638, was blamed for the intrusion.

See also: Equifax, FICO launch Data Decision Cloud as credit scores meld with marketing, compliance, customer experience

The Apache Struts Project Management Committee said at the time the attackers behind the breach "either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time." Equifax revealed an unpatched system was at fault, despite the bug's disclosure and a patch being made available two months before the data breach occurred.

In other words, the data breach was preventable, a fact that haunts Equifax to this day.

The failure to patch the problem has been an expensive lesson for the company, not just in terms of its battered reputation, but in cold, hard cash and results on the balance sheet.

Moody's cited a legal expenditure charge of $690 million in the first quarter as a reason for the downgrade. However, the cost to Equifax is far more substantial, with Q1 2019 earnings also revealing $786.8 million in general costs due to the data breach, $82.8 million in data security costs, $12.5 million in legal fees, and $1.5 million in product liability charges, as noted by IT Pro.

CNET: Instagram website leaked phone numbers and emails for months, researcher says

"We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change," Joe Mielenhausen, a Moody's spokesperson told CNBC. "This is the first time the fallout from a breach has moved the needle enough to contribute to the change."

The financial ramifications of lax patch processes are now proving to be an ongoing strain and burden on Equifax. The company is also facing class-action lawsuits and regulatory scrutiny -- which may, in turn, lead to additional fines and penalties in the future.

These problems have a knock-on impact which has now entered investor territory, as traders and shareholders will often examine rating outlooks and creditworthiness reports provided by companies such as Moody's to ascertain the long-term prospects of an organization.

Cyber risk and cyber insurance are relatively new entrants to investor considerations but ones that cannot be ignored.

TechRepublic: Arm suspends cooperation with Huawei, endangering mobile and server business

The consequences of a major security incident or data breach can now have a long-term financial impact for a victim company and so the responsibility now lies on corporations to strengthen their security practices as much as possible to mitigate the risk of attack -- as well as reduce the risk to investors.

Equifax serves as a lesson in why boards should sign up to proactive security defense rather than consider security as a budgetary afterthought. However, despite the credit rating company's efforts to improve its security and prevent such a data breach from ever happening again, the millions of dollars now spent on shoring up security is also a financial burden and one that Moody's cannot ignore.

"Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach," the company added.

An Equifax spokesperson told ZDNet:

"EFX remains solidly investment grade and the revision in Moody's outlook will not impact our internal investments including new products, our $1.25B  EFX2020 technology and security advancements, or future acquisitions."

Facebook's worst privacy scandals and data disasters

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards