>Dude, if you look at Equifaxes and Solarwinds EBITDA/earnings statements following their respective breaches, you will clearly see that there has been no major impact to their bottom line.

I'm looking at Equifax's 2018 statements right now. With Operating Revenue of $3.4 billion and profits of $850 million, they had $400 million of expenses related to the breach. "No major impact" my ass.

If you compare year over year, many of the things they attribute to the breach are actually just IT/overhead costs they were able to shift to a loss. If you look at their EBITDA, everything is essentially static. In the grand scheme of things, it really isn't a huge impact to them.

Lets say you are a CEO: If you underspend on technology/security by ~50-100m/year, for 5 or 10 years... then have a bad breach, which costs you 400m, what do you get?

A: A Ferrari, because you saved the company 500m dollars and got a cyber insurer to pay for your technology/security program.

I'm not even joking you, I have been in meetings with a CEO, CIO and CISO, where they literally joked around that they should have more breaches because they actually made money on the intrusion and that they were able to upgrade a bunch of stuff they were planning on upgrading next year anyways.

>If you compare year over year, many of the things they attribute to the breach are actually just IT/overhead costs they were able to shift to a loss.

No, it's not. Read the 10-K. It includes pages upon pages of the breach-related expenditures, including hundreds of millions of dollars spent on extra stuff like credit monitoring, legal fees, and professional services costs. That's not "just IT/overhead costs".

Just because a company was planning to spend $400 million anyway doesn't mean that having to spend that $400 million on breach-related expenses is no impact. The budget doesn't just come out of thin air, it gets allocated from other places. Spending $400 million on breach-related expenses means not spending that $400 million on something else like product development, research, marketing, or other company initiatives. The impact is enormous.

>In the grand scheme of things, it really isn't a huge impact to them.

You have no clue how businesses work if you seriously think that an additional, unexpected $400 million in expenses (almost 50% of their yearly net profits) "isn't a huge impact to them". That's really all that has to be said here.

> You have no clue how businesses work if you seriously think that an additional, unexpected $400 million in expenses (almost 50% of their yearly net profits) "isn't a huge impact to them". That's really all that has to be said here.

You clearly have no clue how it looks inside the board rooms and executive offices of some of these huge companies. This type of stuff is treated the exact same way as if a 400m building burns down.

define: impact

2) have a strong effect on someone or something.

My point still stands... If a company can weather the storm, there is no long term impact. If you look at equifaxes breach, it hasn't depressed their revenue. They haven't had to massively changed how they operate or had to pivot into new businesses. Over the long term, it has had very little effect on the company long term, which is my entire point.

>You clearly have no clue how it looks inside the board rooms and executive offices of some of these huge companies. This type of stuff is treated the exact same way as if a 400m building burns down.

I sit with CISOs daily discussing this stuff. $400m expenditures is enough to scare the shit out of them. A $400m building burning down would have CEOs fired (see: Equifax CEO being fired after breach). I don't know what fantasy land you live in, but you're either delusional or lying.

>If a company can weather the storm, there is no long term impact.

That's not what impact means.

>If you look at equifaxes breach, it hasn't depressed their revenue.

This means nothing. It's possible that with an additional 50% of their yearly net income freed up, they could have massively increased their revenue by spending that on product development or sales efforts. You cannot draw any conclusions simply from the fact that their revenue hasn't decreased.

>Over the long term, it has had very little effect on the company long term, which is my entire point.

On the other hand, it may have had an enormous impact. In a time period where every other company is seeing massively rising profits and stock prices, Equifax has been relatively stagnant. Your point has no standing.

I agree with most of your points, but I think it's worth noting that "they didn't do as well as they could have" and "their CEO stepped down with a 90M severance" is a tough pill to swallow. Like, yes, Equifax could be doing better had they not been breached. I'm sure CISOs and board members are quite unhappy with a 400M dollar expenditure. But I also think it's very fair to say that that's getting off easy.

YoY it's a bad thing and makes for a bad year. But longer term the effect seems to have been negligible.

That could be because the $400m would likely have gone on dividends and remuneration, not investment.

> A $400m building burning down would have CEOs fired (see: Equifax CEO being fired after breach). I don't know what fantasy land you live in, but you're either delusional or lying.

In what world does getting 90m $ to leave the company constitute "getting fired"? That's early retirement.

> In a time period where every other company is seeing massively rising profits and stock prices, Equifax has been relatively stagnant.

So, it will take them 2 or 3 years longer to reach some arbitrary stock price. Certainly an earth shattering experience.

Equifax’s stock is up 50% from a year ago. I’d say this hack did nothing bad for their stock.

Seems long covid fogs the market analysts brains too.

Roughly 10% of revenue is something, but not that big of a deal, especially since their overall revenue is up.

Don’t you think stronger consequences than that should happen when a company unintentionally discloses tens of millions of people’s personally identifiable information that has been collected without any particularly explicit permission given by those people?

Credit agencies hold a special place in the US economy, and when they messed up this badly, the team threat of some near-going-out-of-business level consequences seem like the only way to truly get other companies to take this seriously. Especially considering that there are other credit agencies in the country - they don’t have a monopoly on this.

Their business model is weaponizing this information against consumers. They work for the businesses that do lending, not for the recipients of the loans.

And you would think that given their one job is to supposedly safeguard this info, the consequences would be more severe or we would re-think this entire business model of consumer credit, but our society is not capable of that kind of consumer advocacy. Likely due to some powerful interest's bottomline.

That doesn't mean anything. in such a year their products should have flown off the shelves.

Remote monitoring\management? in COVID year? just 3.5%

that's horrendous

Are you sure about that?

The customers who had experience with remote work and already knew that SW products would help them in this situation was a fixed number.

The number of companies who had no clue about how to do remote work, and after haphazardly had to switch to it may still have no idea that you need to use products provided by SW.

Also do you really need any of that to do remote work?

Of course not.

I'm sorry but I have pretty good info about SW. I can tell things are rough there.

More than anything, it proved that their model is flawed.

Just the number of gov agencies that are forced to stop working with them is a major blow.

You missed my point.

I agree they are not doing well, but I also do not see why they should’ve, even if the breach didn’t happen.

> they are up about 3.5% in revenue

Revenue != bottom line. Bottom line is profit, ie revenue minus expenses.