Cyber Insurance – Failure to patch software costs US company more than US$243 million

Details are emerging of how a failure to patch software can result in significant costs to a company. US company Equifax Inc. is a consumer credit reporting agency that collects information on over 800 million individual consumers and more than 88 million businesses worldwide.  It provides credit scores for consumers.

On 8 March 2017, the US Department of Homeland Security Computer Emergency Readiness Team (US-CERT) put Equifax (and others) on notice of the need to patch a vulnerability in Apache Struts software.  Apache is an open-source web application programme for developing Java web applications. It was deployed by Equifax in public-facing web servers where consumers could dispute items on their credit reports.  

Despite Equifax disseminating the US-CERT notification internally, the following day (9 March 2017), the vulnerable version of Apache Struts within Equifax was not identified or patched.  This was due in part to human error and in part to scans that failed to identify the problem.

Between 13 May and 30 July 2017, hackers accessed sensitive information held by Equifax, exploiting the Apache Struts vulnerability.  During this time, Equifax’s security tools did not detect this illegal access.

On 29 July 2017, Equifax’s security department identified and blocked suspicious traffic sent by hackers.  The following day (30 July 2017), due to further suspicious activity, Equifax took the consumer website completely offline.  The criminal hack then ended.

From 2 August 2017 until 4 September 2017, investigators determined that approximately 143 million consumers had their personal information stolen.  The data stolen included full names, Social Security numbers, birthdates, addresses and in some cases, drivers’ licence numbers. At least 209,000 consumers’ credit card credentials were taken.  Equifax subsequently announced they had found an additional 2.5 million US customers who had their personal data stolen in the hack.

On 7 September 2017, Equifax publicly announced the cyber security breach via a press release.  Within hours of the announcement, the first law suit against Equifax was filed. To date, over 250 lawsuits have been filed against Equifax in relation to the security breach.  

In the eight months or so since learning of the hack, Equifax has incurred costs totalling US$243 million to remedy the incident.  In the first quarter of 2018 alone, the following costs were incurred by Equifax:

 US$ millions

IT and data security costs            45.7

Legal and investigative fees        28.9

Product liability costs                   4.1

Total                                               78.7


Equifax has recovered US$60 million from its insurers thus far.  Clearly, Equifax will suffer an enormous uninsured loss as it had (only) US$125 million of cyber security insurance cover, above a US$7.5 million deductible.  One wonders why Equifax’s insurers have paid less than 25% of the costs incurred to date (although a not insignificant US$60 million has been paid by insurers to date).  Whichever way you look at it, the loss resulting from the failure to patch just one particular (and identified) vulnerability in a single software package has had an enormous financial impact.

Updates will be provided on the Equifax claim as further details emerge.