Why Investors Just Don't Care About Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breaches

On May 21, EBay (EBAY) revealed that it had suffered a cyber attack and
data security breach, and users’ information—names, account passwords,
e-mail addresses, physical addresses, phone numbers, and birth dates—was
exposed to hackers. While security experts, the news media, and actual EBay
users may have all been alarmed, the stock investors weren’t. EBay’s stock
finished trading virtually unchanged that day, dropping all of 8 pennies to
$51.88.

That’s been the trend among companies that have suffered cyber attacks—the
stock market practically ignores them. Consider Target (TGT) and its own
well-publicized data breach that happened back in December. Target’s stock
didn’t really move at all. Investors sent a clear message they didn’t care.
The stock fell several weeks later, in January, only after the company cut
its earnings forecast. Even so, the stock rebounded in the next six weeks.

Target shares have been falling since last year, for a lot of reasons
unrelated to the data breach. Poonam Goyal, an analyst for Bloomberg
Industries, says: “There is softness in the industry. Lower-income
customers are struggling, and you’re seeing weakness with competitors like
Wal-Mart and other department stores.” She also points out that Target
isn’t the hot company it was a few years ago, as a lot of other companies
have adjusted their tactics—focusing on price, rotating smart designers,
and being a haven for treasure hunters. “Target was different before, but
what about now?” In addition, its Canadian expansion “has a long, long way
to go. They have issues in consumer perception there.” Goyal’s analysis
suggests Target would have been under pressure—regardless of the data
breach.

Compare that with T.J.Maxx (TJX), which had a data breach affecting 94
million customers in 2007. Its stock similarly dropped about 12 percent in
two months, only to completely recover a couple of months later. In fact,
that bottoming out turned out to be a great buying opportunity in the
stock. There was no long-term damage to the company’s fortunes—in the years
following, share prices surged to five times the pre-breach levels.

Another big company with a recent problem was JPMorgan Chase (JPM), which
revealed in December that 465,000 customers were at risk of having their
data compromised. Despite being such a large number in absolute terms, it
only represented 2 percent of the 25 million who had that particular UCard
product—barely enough to move the needle on the overall business or
reputation of the bank. Not surprisingly, JPM stock was back to flat in two
weeks.

Adobe Systems (ADBE) announced a data breach in October that affected 38
million users—including 3 million encrypted customer credit card records.
The stock kept moving like nothing happened. It was at $52 then, and now
it’s at $62. Punishment? No.

We could keep belaboring the point, with prior examples from Fidelity
National Information Services (FIS) and Heartland Payment Systems (HPY).
Same story: breaches, quick stock drops followed by eventual recoveries.

These numbers suggest that investors just don’t care much about data
breaches, while hackers are incentivized to keep trying to steal data.
Maybe that’s why these events will keep happening. History repeats itself.
And if you see a stock that goes down because of it, that’s always proven
to be a good buying opportunity over the long haul.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!