Minerva Studio - Fotolia
With media coverage of security breaches becoming more commonplace, the business world is beginning to realise that it is less a matter of “if” there will be a breach and more a matter of “when”.
While there is often extensive coverage of the cost to the affected company of a data breach, rarely is the impact on the company’s value examined.
We looked at four recent data breaches and examined the impact on share prices for the companies involved, both short and medium term, to see if the value of the company is indeed affected.
On 21 October 2015, TalkTalk was subjected to what it described as a “significant and sustained” attack on its website, originally stating fears that millions of people may be affected. The reality was that just short of 157,000 peoples’ personal details had been stolen.
In an official statement, TalkTalk CEO Dido Harding stated that the company had no legal obligation to encrypt the sensitive data which had been stolen. In October, the Information Commissioner’s Office (ICO) fined TalkTalk a record £400,000 in relation to the breach.
Within two days of the breach, TalkTalk shares had dropped by more than 10% followed by further decline to the end of the year. The telco has yet to recover from this drop and lost more than 90,000 customers because of the attack.
In this instance, it seems likely that the breach, combined with a smaller breach the previous year and what could be perceived as TalkTalk’s poor handling of the situation, may have contributed significantly to the decline in value of TalkTalk’s shares.
Dido Harding has now announced that she is stepping down from the company, though nobody has suggested that the breach was a contributing factor in her decision.
Sometime around 29 November 2013, US retail giant Target Corporation became the victim of an attack on its point of sale systems, which resulted in the exposure of personal data of up to 70 million individuals.
Target saw an initial drop in share value over the following three months, however, share prices rebounded and even surpassed their pre-breach high by 2015. Target’s share prices have maintained their value and overall the breach has had little ongoing impact, despite Target agreeing to settle a $10m class action lawsuit.
Following the breach, CEO Gregg Steinhafel resigned, a new head of technology was appointed and some structural changes were made to the organisation. It is possible that these steps mitigated any long-term affect that the breach may have had on share prices by restoring investor faith in the company.
An announcement in September of 2016 showed that Yahoo had been the subject of a data breach in 2014 in which data was stolen from 500 million accounts.
This colossal loss of data came at a time when the company was recovering from a decline in shares over the course of 2015, and the announcement that Yahoo was to be acquired by Verizon. The immediate effect was a drop in share prices and a continued decline to the end of December 2016.
While this may be the beginning of a downward trend, it’s probably too soon to tell if the breach has had a significant long-term effect on Yahoo shares.
However, in February 2017, it was announced that Yahoo CEO Marissa Mayer would lose her annual bonus and would not be receiving a stock award after an investigation concluded that both security breaches were mishandled by senior Yahoo executives.
Further to this, Verizon and Yahoo agreed to a price cut of $4.48bn for the acquisition of Yahoo’s core internet business, a drop of $350m.
Overall it seems that while a data breach may have a short-term impact, in the long run it is likely to be only one of several factors affecting share price. Arguably, the way the company handles the breach is a far greater influence than the breach itself.
Of course, we have only scratched the surface of recent data breaches. Across the board, the aftermath of a breach is distinctly varied and often hinges on many other factors.
It could be seen that a distinct negative impact may be indicative of further governance issues in the organisation, in which case, could it be possible to predict with any level of certainty the likelihood of a further breach?