If you haven’t heard of Equifax’s recent data breach, you have not been paying attention. On September 7, 2017, Equifax, one of America’s three big credit reporting agencies, announced a data breach that compromised the Personally Identifiable Information (“PII”) of 143 million Americans, 200,000 credit card numbers, and the personal data of hundreds of thousands of Canadian and U.K. citizens. This article will not delve into the various instances of bungling, potential insider trading, potential fraud, and overall incompetence that has plagued Equifax during this debacle, or the specifics of the Equifax breach, as that has been well-documented elsewhere.
The main question that must be answered is:”How much Equifax will have to pay as a result of lawsuits (consumer & government), increased cybersecurity personnel, hardware, and software, and ongoing regulatory and monitoring costs?”.
For purposes of this article, I will exclude the recurring regulatory and monitoring cost estimates as regulations and legislation have not occurred at this time, but rest assured they will number in the tens of millions annually at least.
I firmly believe that costs associated with this breach will be above $1 billion, and as this nightmare unfolds the stock will continue to drop over the next 12 to 18 months.
In order to estimate costs associated with the Equifax breach, I will be reviewing two similar data breaches that have happened in the past several years: Target’s Credit Card Breach and Anthem’s Personally Identifying Information (“PII”) Breach. First, let’s review the comparison cases.
Target’s Data Breach
On December 15, 2015, Target (NYSE:TGT) shut off connection to a compromised server, which hackers had used to gain access to consumer data for the past month. On December 19, 2017, Target acknowledged the breach publicly after KrebsOnSecurity reported the breach a day earlier. All in all, this breach compromised 40 million credit and debit card numbers and basic personal data (i.e., address, e-mail address, phone number etc.) of 70 million consumers. Needless to say the basic personal data was not “sensitive” and could only be used as a supplementary piece of any attempts to commit fraud/steal identities. Target ended up settling class actions lawsuits with consumers and with 47 state’s attorney general in 2015 and 2017, respectively. As part of the consumer class action settlement, Target offered free credit monitoring and paid $10 million into a fund to disburse up to $10,000 to each consumer who was affected by the breach. As part of the government class action, Target paid approximately $18 million for legal fees and to increase enforcement of consumer protections etc. In addition to these settlement costs, Target paid an additional $202 million in legal fees and other costs (e.g., implementing new security improvements, consumer credit monitoring, notifying consumers etc.).
On February 5, 2015, Anthem (NYSE:ANTM) publicly disclosed a cybersecurity breach of PII (e.g., social security numbers, birth dates, and home addresses of 78.8 million individuals. The breach was discovered January 27, 2015. Ultimately, Anthem was not found to have been negligent or liable for any wrongdoing by State Regulators and only ended up settling a consumer class action suit for $115 million. In addition to this settlement, Anthem had spent roughly $261 million in other costs (e.g., implementing new security improvements, consumer credit monitoring, notifying consumers etc.) in addition to as much as $38 million in legal fees.
Summary of Target and Anthem Breaches
From the data above, one thing is clear. The Anthem breach was significantly more severe than the Target breach, as not only were more consumers affected but also PII is not easily changed and can be used to commit identity theft. However, not that Anthem and Target disclosed their respective breaches in a relatively timely manner, while Equifax took far longer. Also, not that Anthem was not fined by any state or local governments for shoddy cyber security practices due to its relatively effective processes. Compare that to Equifax’s failure to patch a publicly known weakness for several months.
See below for a table comparing the extent and timing of the Equifax, Target, and Anthem breaches (Equifax’s line item costs are denoted with “?”):
Please note that these costs do not include estimates for annual increased expenses for enhanced cyber security teams, software, hardware, regulatory costs etc. I could not find any exact data on these extra costs, so for purposes of this article I will exclude them from this analysis.
Based off the actual costs reported from publicly available sources (linked above), I calculate that Target and Anthem spent roughly $4.6 (as Consumer Data and Credit Card consumers overlapped for the Target breach I averaged the two to get the number of consumers affected) and $5.2 per consumer, respectively.
Using the per consumer costs from Target and Anthem, I calculated the estimated cost per consumer for Equifax at $5.05 per consumer affected.
Note: I gave Anthem a 75% weight in the calculation as that breach is more similar to Equifax’s situation.
Using my estimated cost per consumer, I calculate that Equifax will ultimately owe $708 million at a minimum for allowing this breach to happen. There are a few factors that will increase this number:
- Anthem was not found negligent in handling of customer data and reported the breach within 10 days of discovering it and therefore was not subject to government lawsuits/fines. Equifax may have known about the breach in March 10 (three months before the company said it was aware of any breach) and did not notify the public until September 7; potentially 181 days after the breach occurred. States have different requirements when it comes to timing of disclosures of data breaches, so no proof of loss/harm is necessarily required to show Equifax has broken the law and is liable for damages. The state and local government lawsuits are piling up, and we are only staring at the tip of the iceberg in regards to Equifax’s state and local government potential liabilities.
- Equifax’s breach occurred due to the company not patching a known vulnerability within the open source software that they use. This patch had been available since March, and was communicated to users of this software. The sheer negligence involved in this lack of action will lead to increased regulatory oversight and fines by the applicable government regulators.
Combine the above two points with the laughable and amateurish way that the company has handled this entire affair, you get angry consumers, which leads to angry elected politicians, which will lead to big fines from the Consumer Financial Protection Bureau (“CFPB”) and other government organizations as well as big consumer, shareholder, and government lawsuits that could lead hundreds of millions in additional losses for Equifax orders of magnitude above what Anthem and Target paid. If I were a betting man, which I am, I would say when this is all said and done, Equifax will pay in total between $1 billion and 1.5 billion for this preventable breach.
As of June 30, 2017, Equifax’s relevant fundamentals were as follows:
- Negative working capital (Current Assets – Current Liabilities) of -$343 million, with only ~$400 million in cash on the balance sheet to pay upcoming bills (including a note payable of ~$270 million due July 2017).
- Intangible assets of $5.6 billion (including $4 billion of Goodwill, basically over payments for acquisitions) out of total assets of $7 billion.
- Long-term debt of $2 billion.
- Shareholders’ equity of $3 billion.
- Free Cash Flow of $430 million.
- Quarterly payments of $100 million in dividends.
- $50 million in payments on a Term Loan.
The most recent fundamental snapshot of Equifax is not healthy. Its low working capital is a concern in the context of upcoming legal fees, huge payments of maturing long-term debt, and reduced revenue due to this scandal. A huge portion of assets is classified as intangibles, which will inevitably need to be written off in the coming quarters as the intangible assets purchased will most certainly be impaired as a result of this data breach. Think about it, goodwill is larger than shareholders’ equity! Essentially, this company has negative shareholders’ equity, it’s mind-boggling. In addition, prior fiscal year earnings were ~$488 million, which when put into the context of the company’s relatively low cash balance, huge fines, legal and regulatory expenses upcoming, and inevitable write-downs of intangibles, this company is in a very precarious cash and equity position. Equifax is in real danger of needing to issue more shares in order to strengthen its equity balance.
The one positive for this company is its ability to generate hundreds of millions in Free Cash Flow, which was ~$400 million last quarter. However, this will go down in Q3 as it will have to pay down its note payable due in July. Also, in order to shore up its tenuous cash position, the company will need to suspend its dividend and borrow heavily in the short term, which will cause it to be dropped by a myriad of institutional investor funds. This will lead to even more unstable fundamentals and will call into question the company’s ability to continue as a going concern.
The effects of this breach on Equifax’s ongoing operations remain to be seen. However, this event will probably reduce Equifax’s Global Consumer Solutions’ contribution to revenue (~11% of current sales) to effectively $30-40 million (roughly 10% of 2016’s total revenue) for the foreseeable future, and may potentially cause financial institutions to reduce business dealings with the company, further squeezing its already precarious cash, equity, and earnings position. Decreased sales will greatly impact this company in the following quarters and should not be underestimated just because of the perceived barrier to entry and “too big to fail” status that this company has.
Given the unprecedented magnitude of this breach and the obviously negligent behavior that allowed it to happen, I believe Equifax will have to pay at least $1 billion in fines, legal fees, settlement costs, and enhancements to its current cybersecurity framework. In addition, it will almost assuredly incur additional regulatory costs relating to new legislation and rules coming from congress, the CFPB, and maybe even the Federal Reserve. Equifax’s relatively low cash balance and negative working capital, low ratio of equity to goodwill, looming expenses, and future reduced earnings will require it to cut or eliminate its dividend and issue debt and equity. Earnings will remain compressed or even negative for the next few years as Equifax deals with the fallout from this event. As this circus unfolds, I expect Equifax’s stock price to sink to the $50 range, giving it a more appropriate PE ratio of ~10.
With the various investigations and lawsuits just getting started, it may take a few months for my thesis to come to fruition as investors wake up to the reality of this situation, but I am willing to wait.
Disclosure: I am/we are short EFX.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.
Additional disclosure: Short position is initiated via PUT options.