A data breach incurs serious consequences. Employees get fired, executives issue public apologies, and entire systems are overhauled to ensure that it doesn’t happen again. Data breaches instill doubt in consumers, damage a company’s reputation, and the impact can last for years.
But how do investors react to data breaches? Does Wall Street punish companies that leak customer data? Tech research firm Comparitech attempted to answer this question.
Comparitech analyzed the closing share prices of 28 companies, all of them listed on the NYSE, starting the day prior to the public disclosure of their respective data breaches. Included were many of the largest data breaches in history; all of them resulted in at least 1 million records leaked, and some surpassed 100 million. Some companies were breached more than once, for a total of 33 breaches analyzed.
Comparitech was primarily concerned with the effect of a data breach on closing share price at various time intervals, the percent difference in closing share price performance versus the NASDAQ over the same period of time from the day prior to a breach, and how long it takes for a share price to “bottom out” after a breach.
Data breaches analyzed
- Oct 13, 2013 – 38 million active user records including 3 million encrypted credit card numbers breached September 17, 2013
- September 3, 2012 – 12 million unique device IDs stolen from an FBI agent’s laptop
- We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.
- February 4, 2015 – 80 million medical records breached in January 2015
Capital One ($COF)
- July 30, 2019 – 100 million records, included bank account info, SSNs, and general account info, breached by a company employee
Community Health Systems ($CYH)
- August 18, 2014 – 4.5 million names, addresses, dates of birth, phone numbers, and Social Security Numbers breached between April and June
Dun & Bradstreet ($DNB)
- March 15, 2017 – 33.6 million files containing details ranging from job title to email addressed breached
- September 25, 2013 – D&B, Altegrity, and LexisNexis all report a breach going back to April including names, addresses, property records and vital statistics
- April 3, 2019 – 540 million records about Facebook users exposed by third-party app developers including account names, IDs, friends, photos, location check-ins and details about comments and reactions to posts. 22,000 of these included account passwords.
- September 28, 2019 – 50 million Facebook accounts were compromised through stolen access tokens that allow attackers to hijack the accounts
First American Financial ($FAF)
- May 24, 2019 – 885 million records dating back 16 years exposed, including bank account numbers, statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images
- May 21, 2014 – 145 million accounts breached in Feb/March 2014 including passwords
- Sept 17, 2017 – 143 million US consumers’ names, Social Security numbers, and dates of birth were exposed, sometimes including driver’s licenses and/or credit card numbers. Some Canadian and British customers were affected as well.
Global Payments ($GPN)
- April 2, 2012 – 1.5 million credit and debit card numbers were breached in early March
Health Net ($HNT)
- November 19, 2009 – A hard drive with seven years’ worth of personal financial and medical information of 1.5 million customers of Health Net of the Northeast Inc. went missing in May 2009
- March 15, 2011 – Nine server drives containing names, addresses, Social Security numbers, financial information and health data of 1.9 million customers went missing from an IBM data center
Heartland Payment Systems ($HPY)
- May 31, 2015 – 130 million credit cards breached on May 8, 2015
Home Depot ($HD)
- September 18, 2014 – 56 million credit cards breached over a 5-month period
JP Morgan Chase ($JPM)
- November 10, 2015 – 83 million account details including names, emails, postal addresses, and phone numbers breached in July/August 2014
- May 18, 2016 – 117 million emails and passwords breached in 2012
- Microsoft signed deal to acquire in June 2016 (share price skyrockets)
- Delisted December 2016
Marriott International ($MAR)
- Novemer 30, 2018 – 500 million records from a reservation database including names, addresses, credit cards, phone numbers, passport numbers, and travel info dating back to 2014
- August 21, 2007 – 1.3 million names, addresses, phone numbers and e-mail addresses of job seekers were breached five days prior to disclosure
- January 23, 2009 – An unknown number of user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users’ states of residence were breached
Royal Bank of Scotland ($RBS)
- December 29, 2008 – 1.5 million RBS Worldpay payroll and gift card holders’ card data was breached, 1.1 million of which also included social security records were breached on November 10, over a month earlier
- November 24, 2014 – 10 million employee records including some social security numbers breached allegedly over a year-long period
- April 26, 2011 – Sony Playstation Network and Online Entertainment breached 77 million accounts including some credit card data, discovered 7 days prior
- December 19, 2014 – 1.16 million credit and debit card numbers breached between April and September
- December 19, 2013 – 70 million card details breached in Nov-December 2015
TJ Maxx ($TJX)
- March 29, 2007 – 45.6 million (others report 94 million) records of credit and debit card details breached starting in mid-2005 and lasted for 18 months
- Oct 1, 2015 – 15 million T-Mobile customer data breached from Experian including social security numbers
- April 10, 2008 – 17 million phone numbers, addresses, dates of birth and email addresses breached in 2006 (this was actually T-Mobile’s parent company, Deutsche Telekom, and thus not included in our calculations)
Under Armour ($UAA)
- March 29, 2018 – 150 million user accounts for UnderArmour’s MyFitnessPal app were breached, leaking usernames, email addresses, and hashed passwords
- September 12, 2013 – Over 2 million names, addresses, bank account numbers and birth dates breached
- September 22, 2016 – 500 million accounts breached in 2014
- December 14, 2016 – 1 billion accounts breached in 2013
- May 20, 2013 – 22 million user Yahoo Japan IDs breached on May 16 (note: Yahoo Japan is listed separately on the Tokyo Stock exchange and is not part of this analysis)
In the longer term, share prices continued to grow, but not fast enough to keep up with the NASDAQ. After one year, share price grew 8.38% on average, but underperformed the NASDAQ by -6.49%. After two years, average share price rose 12.78%, but underperformed the NASDAQ by -12.88%. And after three years, share price was up by 32.53% but down against the NASDAQ by -13.27%.
Some of Comparitech’s key findings include:
- Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 7.27% on average, and underperform the NASDAQ by -4.18%
- Six months after a breach, the companies we analyzed actually performed better than they did in the six months prior. In the six months leading up to a breach, average share price grew 4.1%, compared to 7.4% following a breach. Similarly, the companies underperformed the NASDAQ by -1.65% leading up to the breach, but managed to outperform it by 0.48% six months after.
- In the long term, breached companies underperformed the market. After 1 year, Share price grew 8.38% on average, but underperformed the NASDAQ by -6.49%. After 2 years, average share price rose 12.78%, but underperformed the NASDAQ by -12.88%. And after three years, average share price is up by 32.53% but down against the NASDAQ by -13.27%. It’s important to note the impact of data breaches likely diminishes over time.
- After about a month, share prices rebound and catch up to NASDAQ performance on average
- Finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected
- Breaches that leak highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info