With media coverage of security breaches becoming more commonplace, the business world is beginning to realise that it is less a matter of ‘if’ there is a breach and more a matter of ‘when’. Whilst there is often extensive coverage of the cost to the affected company of a data breach, rarely is the impact on the company’s value examined.
We looked at four recent data breaches and examined the impact on share prices for the companies involved, both short and medium term, to see if the value of the company is indeed affected.
TalkTalk Group PLC
On 21st October 2015, TalkTalk was subjected to what it described as a ‘significant and sustained’ attack on its website, originally stating fears that millions of people may be affected. The reality was that just short of 157,000 peoples’ personal details had been stolen. In an official statement, TalkTalk CEO Dido Harding stated that the company had no legal obligation to encrypt the sensitive data which had been stolen. In October, the Information Commissioner’s Office fined Talk Talk a record £400,000 in relation to the breach.
Within two days of the breach, TalkTalk shares had dropped by more than 10% followed by further decline to the end of the year. The telco has yet to recover from this drop and lost more than 90,000 customers because of the attack.
In this instance, it seems likely that the breach, combined with a smaller breach the previous year and what could be perceived as TalkTalk’s poor handling of the situation, may have contributed significantly to the decline in value of TalkTalk’s shares.
Dido Harding has now announced that she is stepping down from the company, though nobody has suggested that the breach was a contributing factor in her decision.
Sometime around the 29th November 2013, US retail giant Target Corporation became the victim of an attack on its point of sale systems, which resulted in the exposure of personal data of up to 70 million individuals.
Target saw an initial drop in share value over the following three months, however, share prices rebounded and even surpassed their pre-breach high by 2015. Target’s share prices have maintained their value and overall the breach has had little ongoing impact, despite Target agreeing to settle a $10 million class action lawsuit.
Following the breach, CEO Gregg Steinhafel resigned, a new head of technology was appointed and some structural changes were made to the organisation. It is possible that these steps mitigated any long term affect that the breach may have had on share prices by restoring investor faith in the company.
An announcement in September of 2016 showed that Yahoo! had been the subject of a data breach in 2014 in which some 500 million users’ data was stolen.
This colossal loss of data came at a time when the company was recovering from a decline in shares over the course of 2015, and the announcement that Yahoo! was to be acquired by Verizon. The immediate affect was a drop in share prices and a continued decline to the end of December 2016.
Whilst this may be the beginning of a downward trend, it’s probably too soon to tell if the breach has had a significant long term impact on Yahoo! shares, and if Verizon’s acquisition goes ahead then it will likely become difficult to accurately measure any further effects.
Overall it seems that whilst a data breach may have a short-term impact, in the long run it is likely to be only one of several factors affecting share price. Arguably, the way the company handles the breach is a far greater influence than the breach itself.
And of course, we have only scratched the surface of recent data breaches. Across the board, the aftermath of a breach is distinctly varied and often hinges on many other factors. It could be seen that a distinct negative impact may be indicative of further governance issues within the organisation, in which case, could it be possible to predict with any level of certainty the likelihood of a further breach?