In TalkTalk aftermath, it's time for companies to pay higher price for breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.zdnet.com/article/in-talktalk-aftermath-its-time-for-companies-to-pay-price-for-breaches/

After Target's breach, its stock was fine. Home Depot's stock prices showed
no noticeable impact of its big hack attack. JPMorgan Chase's investors
didn't even blink when the company was revealed to be the target of the
largest-ever theft of customer data from a US financial institution (and
one of the biggest breaches to date).

But when UK telecom giant TalkTalk joined the breach victim club in October
2015, its stock took a jaw-dropping beating, and it hasn't recovered. The
burning question of "why" has a lot of people wondering if there was
something different about TalkTalk's break-in that we should all be paying
attention to, or if we're now entering the era where cyberattacks can
damage more than a company's reputation.

When news of TalkTalk's breach made headlines on October 22, its stock went
into a spiral. In just the first few days after the attack, the publicly
trade company's stock fell a stunning 22% -- and rode an average 20% drop
through November, with no recovery in sight.

It was the target of a fairly standard attack routine; on or around October
21, the company's website was pummeled with a denial of service attack
(DDoS), during which a SQL injection attack was made, and databases were
snatched. Like other companies, this was not TalkTalk's first attack; as
far as we know, the company had been popped twice before within the past
year. Both times, its stock was unaffected.

TalkTalk admitted the hack to media on October 22, and its share price
promptly went into free-fall. TalkTalk made an urgent statement to press,
where the company mumbled that "not all of the data was encrypted" -- it
was soon revealed in a Pastebin dump that this included customers'
sensitive data, meaning that passwords and other critical information sat
on the databases in plaintext. In fact, TalkTalk's FAQ about the hack
answers the question "Was the data encrypted?" evasively saying, "Credit
and debit card details were tokenised, which is a standard higher than
encryption. In all other respects we complied with any obligations to
encrypt data."

Sidestepping questions about securing data under fire isn't ethical but it
also isn't unique to TalkTalk; companies are wont to soften the blow of
security disasters. Also not unique to TalkTalk was the size of the
customer base affected. The breach that was first estimated to affect 4
million customers, but the company quickly ratcheted then umber of those
directly affected back to 157,000. It was revealed that 16,000 customers
saw bank account details stolen. TalkTalk admitted to press the information
"accessed" by attackers were customers' names, email and mail addresses,
dates of birth, account information, along with credit card and bank
account details. In comparison, Target's breach affected the sensitive
credit and debit card information of 40 million customers.

TalkTalk's breach also followed the modern blame-game playbook, with an
"evildoer" attacker that later proved to be both a temporary distraction
from accountability, and to be utterly false. One day after the news hit,
on October 23 former Scotland Yard's cybercrime unit detective Adrian
Culley told BBC Radio 4's Today program "It appears at face value to be
Islamic cyberterrorism," and that the hack was the work of Islamist
militants from "Soviet Russia". By November 15, all five arrests for the
hack were UK-based teenagers.

Within the same time frame, the US recently charged three Israeli men for
hacking and robbing JPMorgan Chase & Co, in what is the largest-ever theft
of customer data from a U.S. financial institution (and one of the biggest
breaches to date). When news of the breach first hit, it was reported that
"some members of the bank's security team to tell outside consultants that
they believed the hackers had been aided by the hidden hand of the Russian
government" -- and attribution was firmly assigned to Russia. (A fourth
culprit, an American citizen, is still at large and wanted by the FBI.)
JPMorgan's stock prices never knew the difference.

It's kind of amazing that so many companies have been dragged through the
headlines over breaches and used as examples of what not to do when
protecting customers and clients in the digital era, and yet none of them
have had what we'd expect to be the result of a reputational crisis:
Virtually none have taken a hit in the stock market.

But there have been a few. Summit Route's Scott Piper reminds us that there
have been instances of stocks taking a hit as the result of a company being
hacked. Notably, two.

"Heartland Payment Systems (HPY) suffered the largest credit card breach in
history, with an estimated 130M customers affected. In the middle of the
day on Tuesday, January 20, 2009, Heartland Payment Systems announced they
had been breached ... That morning the stock had opened at $15.06, and by
close it was at $14.18 (-5.8%). The next day it didn't move much (closed at
$14.11), but on Thursday, Jan 22, it closed at $8.18, which is a 45.7% drop
from it's open just a few days prior. It seems that on the initial news of
the breach on January 20, it wasn't known how bad it really was and the
news was drowned out due to that day being Inauguration Day for President
Obama, but on Thursday people figured out what exactly was compromised.

"Global Payment Systems (GPN) suffered a breach ... on March 30, 2012, and
by the end of the day the stock had dropped 9.5% from it's open."

Both companies were slammed by Visa, which may explain their stock
death-spirals. Piper notes, "were ultimately delisted by VISA as being
non-compliant with the PCI standard, which meant their customers
(merchants) could be fined if they continued using them, which meant
merchants would either stop using these payment solutions or pass the fines
onto them."

Sony might have been on Piper's list of exceptions, having fallen 6.6
percent on the New York Stock Exchange after its very public breach
disaster came to light last November, but Deadline reported it was "tough
to find a Wall Street analyst who would attribute the fall to the computer
hack." Marketwatch said that afterward, Sony's stock price rose "41% from a
post-breach low of $19.73 on Dec. 16, setting fresh four-year highs."

Then again, Marketwatch also reported in April that "cyberattacks don't
hurt stock prices" -- and in Talktalk's situation, this is clearly not the
case.

Harvard Business Review's April article, the now-questionably titled "Why
Data Breaches Don't Hurt Stock Prices," hinted at why the awareness among
investors might be changing. They suggested in April that stock prices
weren't getting dinged in the aftermath of all these egregious breaches
because, "Shareholders still don't have good metrics, tools, and approaches
to measure the impact of cyber attacks on businesses and translate that
into a dollar value."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!