The cost of the data breach at credit-reference agency Equifax has now reached at least $439 million, according to recent tax filings.
They come as the company admits to finding that a further 2.4 million accounts were breached.
And according to Reuters, the company’s insurance will only cover up to $125 million of these losses – if they pay up.
Security expert Larry Ponemon suggested that the data breach could end up going down in history – for the time being – as the biggest in corporate history.
The breach, which was uncovered in September 2017, might have affected more than 185 million accounts in the US, Canada and the UK.
In the UK, the company initially claimed that information of only around 400,000 people had been compromised, and that information, it claimed, didn’t include financially sensitive information.
It later admitted that some 14 million UK accounts had been compromised, including all account data, and the figure according to some estimate may be as high as 44 million.
Ponemon claims that the already-public costs could be higher than the $439 million figure taken from the company’s filings. He believes that once government and legal financial details are taken into account, the costs of the breach could actually be “well over $600 million”.
Nevertheless, last week the company revealed that it had achieved better-than-expected fourth-quarter financial results.
Although Wall Street analysts expected Equifax to publish dire financial results, the company managed to post revenues up five per cent to $838.5 million in its fourth quarter and a net income of $172.3 million.
The company’s stock price is now higher before the cyber attack took place, but the worst may yet be to come with regulators and consumer right groups across the world preparing legal cases. Equifax has also spent millions on belatedly upgrading its technology and security infrastructure.
In a statement, interim Equifax CEO Paulino do Rego Barros said: “This is not about newly discovered stolen data. It’s about sifting through the previously identified stolen data, analysing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”