The Great Equifax Hack Of 2017: An Opportunity Of A Lifetime

Last week I started tracking my Warren Buffett-inspired real money dividend growth portfolio on Seeking Alpha.

As fortune would have it, the day my Interactive Brokers (NASDAQ:IBKR) account got funded was also the day that Equifax (NYSE:EFX) announced the sixth biggest data breach in world history and shares plunged 13%.

Because the stock was on my buy list, I took that opportunity to open my initial position in the company.

ChartEFX data by YCharts

Of course, not surprisingly for a corporate disaster of this magnitude, the bad news kept coming, and shares kept crashing, ending up 35% for the week, and down 36% from its all-time high.

So, as I explained in my first weekly portfolio update, my rule-based limit orders (add $ 1,000 for every 10% decline) were triggered, not once, not twice, but thrice.

That means that Equifax is now my 10th largest position, representing 3.9% of my portfolio (and life savings).

Has Dividend Sensei gone totally mad and taken leave of his senses? Not at all.

Let’s take a look at the reasons I consider The Great Equifax Crash of 2017 to be such a potentially amazing long-term opportunity, assuming of course your investment profile is similar to mine.

Murphy’s Law At Work

Don’t get me wrong, I’m not a blind contrarian investor, willing to catch any falling knife that pays a dividend.

After all, the Equifax hack is a huge deal:

  • 143 million Americans affected (including myself) or 75% of those with a credit profile potentially had their social security numbers, birth dates, addresses, and driver’s license numbers stolen.
  • 209,000 credit card numbers were stolen.
  • 400,000 Great Britain citizens are also potentially affected, the largest data breach in UK history.

This has naturally resulted in demands for investigations by the Securities and Exchange Commission, Department of Justice, and Federal Trade Commission, including from no less than 36 US Senators.

The potential fallout is certainly likely to be massive, with 40 states launching investigations into the breach, CEO Richard Smith set to testify before Congress on October 3rd, and legislators such as Maxine Waters and Elizabeth Warren calling for increased regulations and a total revamping of the credit reporting system.

On top of that, we have a class action lawsuit filed for $ 70 billion that theoretically has the potential to bankrupt the company.

And then of course we can’t forget Equifax’s world-class bungling of its response to the crisis.

  • Revelations that three executives sold $ 1.8 million worth of stock just days after discovering the breach on July 29th (while the news wasn’t publicly released until September 7th). Whether or not the SEC determines criminal wrongdoing (Equifax claims these particular execs didn’t know about the breach), the optics are absolutely horrible.
  • The Apache Software Foundation claims to have known about the software vulnerability (software used by 65% of Fortune 100 companies and the IRS) and had previously released a patch to fix the problem, which Equifax didn’t take advantage of.
  • Consumer complaints of trouble checking its website, signing up for a year of Premium TrustedID credit monitoring, and the company having to backtrack on forcing a mandatory arbitration clause (that stripped consumers of the right to sue) to take advantage of this service. This clause has now been removed.
  • When Equifax finally did take the final step and offer to waive credit freeze fees, it was only for itself and for 30 days.
  • The Chief Information Officer and Chief Security Officer have both resigned in disgrace. That’s actually a very good thing, especially given that the CSO’s bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia further adds to the horrible headlines at this time of torches and pitchforks. That being said, while the CSO’s liberal arts degree may not be in anyway relevant to cyber security, Mauldin has extensive industry experience, having served as CSO for First Data Corporation (NYSE:FDC), SunTrust Banks (NYSE:STI) and HP (NYSE:HPQ).

In other words, Equifax has managed to construct a perfect case study for how NOT to handle a data breach. Indeed it’s been shooting itself in the foot since Thursday’s announcement to the detriment of shareholders who have been getting gored on the daily.

Why Buy A Burning House?

While Warren Buffett is famous for being the ultimate contrarian investor (having made tens of billions of dollars off opportunistic mass purchases of American Express (NYSE:AXP), Geico, Wells Fargo (NYSE:WFC), and Coca-Cola (NYSE:KO) during periods of company turmoil), in fact the greatest contrarian of all was the Roman Marcus Licinius Crassus.

Crassus was the richest private citizen in human history ($ 2 trillion net worth in inflation adjusted US dollars) and famously made a fortune by buying burning Roman houses for pennies on the dollar, and then having his private firefighting force (the only one in Rome) put out the flames before the property was totally destroyed.

In other words, the first investor to, in the words of Rahm Emanuel, “never let a serious crisis go to waste.”

Well, I consider The Great Equifax Hack of 2017 to be just such a Crassus/Buffett moment, the ultimate example of “being greedy when others are fearful” and buying when Wall Street is running red with the blood of panicking investors.

The reason is that Equifax at its core is a wide-moat oligopoly in a very high margin business.

In fact, Equifax provides the world economy an absolutely vital service, and is one of the three largest credit reporting agencies in the world, handling data storage and analysis for far more than just American consumers.

Source: Equifax Investor Presentation

In fact, this breach only affected 17.5% of the company’s total consumer data pool, and ultimately even less of its overall business, given the highly diversified nature of the company.

Source: Simply Safe Dividends

And the fact is that this breach isn’t likely to severely curtail the company’s sales, earnings, or free cash flow growth. Why? Well, for one thing, while consumers may be up whipped into a frenzy by this hack, the fact is that US consumers are not Equifax’s true customers.

Those would be the financial institutions that use the company’s data and credit scores to make lending decisions.

And so while there may be talk of increased regulation of the credit reporting industry, the fact is that it is a 100% essential component of the economy.

In fact your credit report can affect your ability to:

  • Get any consumer loans (credit cards, mortgages, car loans, student loans, personal loans),
  • rent an apartment,
  • get a job, and
  • even get a date.

In other words, you can’t live a normal life in the US without a credit score. So the notion of people demanding “out of the system” is purely a knee jerk (though understandable) reaction to the massive nature of this hack.

And in case you don’t find that argument compelling, how about this?

While US Information Solutions (the business segment that got hacked) is the most profitable unit, it also only accounted for 7% of sales growth last year.

By far the international business, which is unaffected by the breach, is what matters for the future growth prospects of the company.

Now don’t get me wrong, as a shareholder of Equifax, I am appalled at this breach, and 100% agree that management needs to be held accountable for dropping the ball on security (including not keeping software up to date).

So let me be clear, CEO Rich Smith NEEDS to be fired. Fortunately I am confident that he will be gone once the Congressional hearings are over. In my opinion, the Board of Directors is only keeping him around to face the political verbal firing squad.

Once Congress justifiably rakes him over the coals (including plenty of grandstanding and posturing for the cameras), I expect Smith will be gone, and the company can finally start to recover from this debacle.

Now I also want to make very clear two important personal points to head off any comments about “investing in an evil company.”

First, my data, according to Equifax, may be part of the hack.

In addition, my ex-wife used her power of attorney to take out $ 50,000 in debt without my permission or knowledge and sunk my credit score to an all time low of 424 (still working to bring it back to its former 800+).

So I am very aware of the pain and suffering caused by identity theft, and am indeed furious with the company for failing to keep its security software up to date, and thus likely putting millions of people into a similarly crappy situation.

That being said, I don’t let my emotions dictate my investment decisions, because at the end of the day, business is business and Equifax is a fast growing, free cash flow minting machine with a potentially very bright dividend growth future ahead of it.

Solid Dividend And Total Return Profile

Equifax’s high-margin, cash-rich business model is likely to continue growing strongly, because ultimately the need for consumer credit around the globe (especially in emerging markets) is only going to increase over the coming decades.

That in turns translates into a very attractive total return profile for dividend growth investors like myself.

Company Yield TTM FCF Payout Profile Projected 10 Year Dividend Growth Projected 10 Year Annual Total Return
Equifax 1.6% 27.2% 11% to 14% 12.6% to 15.6%
S&P 500 1.9% 39.5% 5.9% 9.1%

Sources: GuruFocus, Morningstar, Management Guidance, FactSet Research,,

Of course with the company now in chaos, and potentially facing massive liabilities, the safety and growth prospects of the dividend are naturally in doubt.

So let’s take a look at just how safe Equifax’s payout really is.

How Much Is This Going To Cost?

The first step in determining whether or not Equifax will survive this crisis, much less with the dividend intact, is to determine a reasonable estimate of the actual fines the company will pay.

My colleague Martin Vlcek, using data pertaining to Target’s (NYSE:TGT) and Home Depot’s (NYSE:HD) data breaches, thinks that it could realistically be as large as $ 2.75 billion.

Of course, bears will correctly point out that these companies merely lost credit card numbers, which can easily be canceled and replaced.

On the other hand, Equifax lost irreplaceable data, such as social security numbers, addresses, birthdays, and driver licenses, things that could be used to open fraudulent accounts many years in the future.

So what we need to do is find another example of a more severe case of data theft, and see what kind of fines those generated.

Well, it just so happens that in 2015 Anthem (NYSE:ANTM) was hacked in a breach affecting 78.8 million people. In that case the thieves got:

  • Names,
  • birthdates,
  • social security numbers,
  • medical IDs,
  • street addresses,
  • e-mail Addresses, and
  • employment data, including income.

In other words, far more damaging than even the Equifax hack, and also precisely what’s needed to steal a person’s identity, even potentially decades down the road.

After extensive federal and regulatory investigation (including the FBI), how many tens of billions of dollars did Anthem pay for exposing nearly 25% of America to a potential lifetime of financial fraud?

$ 115 million, or $ 1.46 per victim.

So let’s be conservative and assume that the bad press and management’s asinine mishandling of the crisis ends up costing two or even three that amount, in that case Equifax would end up paying fines of:

  • 1X Anthem cost: $ 209 million
  • 2X Anthem cost: $ 418 million
  • 3X Anthem cost: $ 626 million

But potential cost is just one part of the equation. We also need to know how strong the company’s finances are, specifically can it withstand such a blow, and will that result in a dividend cut or suspension?

Company Debt/EBITDA EBITDA/Interest Debt/Capital S&P Credit Rating
Equifax 2.37 12.3 34% BBB+
Industry Average 3.31 NA 57% NA
Hypothetical 50% Increase 3.56 8.2 51% BBB+

Sources: Morningstar, F.A.S.T. Graphs

Well, as it turns out, Equifax has a pretty strong balance sheet with a much lower than average leverage ratio, low debt/capital ratio, a high interest coverage ratio, and a strong investment grade credit rating.

Thus even if it had to borrow $ 1.35 billion (increasing its debt load by 50%), the company’s cash flow could still easily service the debt payments.

But wait, it gets even better.

Year FCF Generated Dividends Paid Excess Cash Cash On Balance Sheet
2016 $ 622 million $ 158 million $ 464 million $ 404 million (current)
2017 $ 667 million $ 190 million $ 477 million $ 643 million
2018 $ 716 million $ 210 million $ 506 million $ 1.149 billion
2019 $ 768 million $ 234 million $ 534 million $ 1.684 billion

Source: Morningstar

Right now, Equifax has $ 404 million in cash on the balance sheet, and it’s generating massive amounts of free cash flow in excess of its dividend payments.

So even assuming that the dividends were raised to $ .43 and $ 0.48 per quarter for 2018 and 2019, respectively (maintaining double-digit growth), then by the end of those years (when the final settlement would be likely be due), Equifax’s cash balance would be between $ 1.1 and $ 1.7 billion.

In recent years, the company has easily operated with $ 100 million in cash on the balance sheet meaning that it can afford to pay $ 1.0 to $ 1.6 billion in cash fines, without threatening the dividend or its growth.

That’s enough to pay $ 6.99 to $ 11.19 per victim or 4.8 to 7.7 what Anthem settled for.

Throw in the $ 100 to $ 150 million in insurance the company has (cybersecurity, crime, general liability), and the potential to borrow $ 1.35 billion to settle legal fines, and Equifax can afford to pay up to $ 3.1 billion, $ 21.67 per victim or 14.8 times what Anthem paid, without putting the dividend at risk.

And in a worst-case scenario, where a dividend suspension was temporarily required to save the company from bankruptcy, Equifax could afford to pay as much as $ 3.5 billion, $ 24.48 per victim, or 16.8 times what Anthem paid.

Given the objective facts, that Anthem’s data breach exposed its customers to far worse financial abuse potential, I find it hard to believe that anyone can reasonably claim that what Equifax did was more than 16.8 worse than Anthem.

Which basically means I see very little existential risk (it’s not going bankrupt) to the company.

Valuation Is Appealing

Thanks to the fear, uncertainty, and doubt following this hack, Equifax is now trading at its lowest price in about two years.

ChartEFX data by YCharts

So assuming that, like me, you think the company can get past this crisis (put out the house fire), then today is a potentially excellent time to add Equifax to your portfolio.

Company Forward PE Historical PE Yield Historical Yield
Equifax 13.8 19.5 1.6% 1.0%
Industry Median 21.9 NA 2.2% NA

Source: GuruFocus

As you can see, on a forward PE basis, Equifax is now a bargain, especially compared to its peers and its own historical norm.

Meanwhile, while the dividend yield may not be anything to write home about, it is nonetheless at a five-year high.

ChartEFX Dividend Yield (TTM) data by YCharts

Of course profits are not earned in the past, but in the future.

Which is why a discounted cash flow, or DCF, analysis is often the best way of truly determining whether or not a stock is on sale.

TTM FCF/Share Projected 10 Year FCF/Share Growth Terminal Growth Rate Fair Value Estimate Growth Baked Into Current Price Margin Of Safety
$ 5.21 5.0% (worst case) 3% $ 103.97 2.1% 11%
7.2% (historical growth) 4% $ 138.46 33%
11% (low end management guidance) 4% $ 186.39 50%
14% (high end management guidance) 4% $ 235.31 60%

Sources: Morningstar, GuruFocus, Management Guidance

Now obviously, no model is perfect, as it’s based on a wide range of possible growth rates. However, as you can see, even if Equifax’s business ends up being severely harmed by the scandal, resulting in a 30% decrease in growth (compare to the last decade), the stock is still undervalued.

And the more likely scenario is that Equifax will be able to grow at least as fast as before, thanks to aggressive international expansion, which would make it one of the most undervalued stocks on Wall Street, with a massive margin of safety at current prices.

Could This Time Really Be Different?

Of course, the risk with any major contrarian value investment is that you turn out to be dead wrong. So in the spirit of Charlie Munger (Buffett’s right hand at Berkshire (NYSE:BRK.A) (NYSE:BRK.B)), here’s how this investment inverts (could end up failing).

First, on its fundamental business front, Equifax’s highest margin US credit bureau business is largely saturated and slow growing. That means that future growth will have to come from new business areas particularly workforce solutions and international.

However, its moats (and margins) in those areas aren’t as great, which means that increasing economies of scale will be needed to expand margins further (though I believe that EFX will be able to do so).

As to the issue of the hack, while the headline risks appear to be class action lawsuits and onerous new government regulations, ultimately those are likely overblown.

That’s because, while $ 70 billion lawsuits, or even tales of people using Chatbot to sue Equifax for $ 25,000 without a lawyer (theoretical liability $ 3.575 trillion), those cases are not likely to go anywhere simply because it’s all but impossible for consumers to prove in court that any particular instance of identity theft is due to this breach.

In fact, the 143 million person headline is itself misleading. The data of up to 143 million people may have been exposed, but how many actual victims exist is far harder to determine (we may never know).

In addition, not everyone whose data was stolen will end up a victim of fraud, and of course, the timing of any attempted identity theft could be years down the road.

In other words, while the populist anger over this breach, and especially management’s epic bungling of its reaction to the crisis, mean that Equifax is 100% guilty and worthy of hanging in the court of public opinion, in the actual court of tort law, the company’s largest detractors actually have far less legal standing than they think.

But what about potential regulatory changes? Might not the government decide to nuke the industry? While that is a small risk, keep in mind that what Equifax did (by being lackadaisical about security software) is far less egregious than the big banks that nearly destroyed the world economy in 2008-2009.

Did anyone go to prison? Were the big banks broken up? No, because, despite the largely justified fury that Americans felt over the crisis and the bailout the banks got, at the end of the day, the world still needs them to keep credit flowing and the gears of the world economy turning.

The same is true for credit rating agencies. Without them there would be no consumer credit, which would truly be a nuclear bomb to the economy.

Congress may be full of egotistical grandstanders and narcissistic wannabe celebrities, but at the end of the day, whether or not you think it’s just for Equifax to get off largely scot free, that’s probably what’s going to happen (you may as well profit from it).

In other words, the business model of credit rating agencies will probably go on as usual, but with far more pressure on CIOs and CSOs to prevent this kind of catastrophe again.

But just because the industry will survive and thrive doesn’t necessarily mean that Equifax will. After all, while consumers may not be its customers, lending institutions are, and they could always decide to jump ship to TransUnion (NYSE:TRU) or Experian (OTCQX:EXPGF).

However, I don’t think that is likely, and agree with Brett Horn of Morningstar that “Equifax’s entrenched oligopolistic position in its core credit bureau business is unlikely to be affected.”

Of course, I’ll be watching the next few quarterly earnings reports especially closely to see if there is any sign of just such an exodus of large financial clients.

Bottom Line: Equifax Hacking Crisis Is A Classic Buffett/Crassus Moment

Don’t get me wrong, there are no guarantees in life, and when it comes to a screw up of this magnitude, there is a small possibility that Equifax’s business model could be permanently impaired either from additional costly regulations or from some major financial clients jumping ship. That in turn could very well result in the dividend growth thesis breaking.

In other words, I fully realize that I may end up taking a large bath on this one.

That being said, given the wide moat nature of the company, which operates in a vital industry that serves as the crossroads of consumer credit in our debt driven economy, as well as global economic data as a whole, I remain confident that “this time is NOT different” and that Equifax will eventually get past this crisis with its business model largely intact.

Which is why with full understanding of the risks involved, as well as the fear, uncertainty, and doubt that is sure to dominate the share price in the coming weeks, months, and quarters, I plan to not just hold my shares for the long term but continue adding on each successive 10% decline for as long as the crash persists (up to a limit of 10% of my portfolio).

Of course, I don’t expect to actually buy that much, because it would require a further 53% decline in the share price to $ 51.18. And please realize that by no means do I recommend that anyone but the most risk tolerant investors own more than 2.5% to 5% in their well diversified portfolios.

Should my investment thesis change (Like Lord Maynard Keynes “when the facts change I change my mind“), I will make sure to let my readers know. However, for the moment, I see Equifax as the quintessentially undervalued “be greedy when others are fearful” long-term dividend growth opportunity.

Disclosure: I am/we are long EFX.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.


This entry was posted in Cloud Computing and tagged , , , , , . Bookmark the permalink.