(Adds details on data breach, quote from cyber security expert)
By John McCrank
Nov 9 (Reuters) - Equifax Inc on Thursday reported lower quarterly profit, and quarterly revenue missed estimates, as the credit bureau warned that its massive data breach had prompted some customers to hold back business.
The breach, which compromised sensitive data of 145.5 million people, has harmed the company's reputation and prompted investigations in every U.S. state, a federal criminal probe and hundreds of lawsuits. Equifax said it was not possible to estimate how much it would cost the company to respond to the probes and litigation. The Atlanta-based company said it recorded $87.5 million in expenses related to the hack during the quarter, including legal fees, investigation of the breach, and free credit monitoring for U.S. consumers whose data was exposed in the breach.
Equifax estimated a range of additional costs between $56 million and $110 million to continue providing the free services.
The company warned there could be further attacks. "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again," it said in a quarterly filing with the Securities and Exchange Commission.
Eric Johnson, dean of Vanderbilt University’s Owen Graduate School of Management, said that uncertainty could cost Equifax future business.
"They need to be able to nail those pieces and have a clear explanation of what happened and how they solved it," said Johnson. "I think they can get there, but they aren’t there now."
Johnson estimated the costs from the breach will total in the hundreds of millions of dollars, but that lost revenue could be even larger.
The company said the breach was already taking a toll on sales.
"We believe that certain of our customers have determined to defer new contracts or projects unless and until we can provide assurances regarding our ability to prevent unauthorized access to our systems and the data we maintain," it said in the SEC filing.
Equifax needs to do a better job of communicating whether it believes the hackers are still inside its network, said Mark Rasch, a former U.S. federal cyber-crimes prosecutor who advises businesses on responding to breaches.
"What I want to know is 'How did they get in?' and 'How are they preventing hackers from getting in in the future?' They haven't answered those questions," said Rasch.
The SEC is one of more than a dozen regulatory bodies investigating Equifax over the hack. Additionally, several agencies, including the U.S. Attorney's Office for the Northern District of Georgia, had probes into the trading activities of some Equifax employees before the breach was made public, the company said.
Equifax reported third-quarter revenue of $834.8 million, missing analysts' average estimate of $845.94 million, according to I/B/E/S Thomson Reuters.
Net income attributable to Equifax fell to $96.3 million, or 79 cents per diluted share, from $132.8 million, or $1.09 per diluted share, a year earlier.
Adjusted for one-time costs, such as hacking- and merger-related expenses, Equifax said it earned $1.53 per share, topping analysts' average estimates by 4 cents.
Shares of Equifax, which reported after the closing bell, were down a penny in aftermarket trading at $108.94. The stock is down around 24 percent since Sept. 7, when Equifax disclosed the breach. (Reporting by John McCrank in New York; Editing by Jim Finkle and James Dalgleish)