Site icon African Eye Report

How Data Breaches Affect Stock Market Share Prices

MASAHUDU ANKIILU
Bull

November 6, 2019//-A data breach incurs serious consequences no matter whether a company is big or small.

Staff get fired, executives issue apologies, and entire systems are overhauled to ensure that it doesn’t happen again. They instill doubt in consumers, damage the company’s reputation, and the impact can last for years. A data breach can harm both public sentiment and a company’s competitive edge in the market.

But how do investors react to data breaches? Does Wall Street punish companies that leak customer data? This is the question we will attempt to answer.

We analyzed the closing share prices of 28 companies, all of them listed on the New York Stock Exchange, starting the day prior to the public disclosure of their respective data breaches.

Included are many of the largest data breaches in history; all of them resulted in at least 1 million records leaked, and some surpassed 100 million. Some companies were breached more than once, for a total of 33 breaches analyzed.

Some of our key findings include:

The companies include: Apple, Adobe, Anthem, Community Health Systems, Capital One, Dun & Bradstreet, Facebook, First American Financial, Ebay, Equifax, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Marriott International, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo.

This study was updated in September 2019 to include more companies, improve the methodology, and create better, interactive visualizations.

Methodology

Excluding statistical outliers, we analyzed the share prices of these companies chosen on the following criteria:

At first, we simply looked at whether the share price went up or down, but this method fails to account for market forces beyond the scope of the study. To control for this, we opted to add a second stage to the analysis. In this stage, we compare the performance of each stock with the NASDAQ for the same time period, and calculate the difference in performance between them. The NASDAQ is a common standard for overall market performance, and most of these stocks are listed on it. We used a NASDAQ composite index as a benchmark for the wider market. Here’s the formula:

(((Company prices on day X after breach)/(Company price on day prior to breach)-1)*100) - (((NASDAQ prices on day X after breach)/(NASDAQ on the day prior to breach)-1)*100)

Essentially, we anchor the NASDAQ index performance to zero. That means if a company’s stock fell 1% and the NASDAQ rose 2% in the month after a data breach, the calculated decrease is 3%. If the NASDAQ fell 2% and the company’s stock price rose 2%, we report an increase of 4%. If the NASDAQ rose 2% but the company only rose 1%, that’s a 1% decrease versus the market. Finally, if the company’s stock price falls 2% but the NASDAQ falls 3%, then the company still sees a relative increase of 1%.

In short, we make the NASDAQ’s performance the baseline instead of zero. We are primarily concerned with the following:

Historical stock data were downloaded on in August 2018.

We analyzed all of the stocks together and then split them up by different factors to see if we could spot any patterns. These factors include the year of the breach, the size of the breach, the sensitivity of the leaked info, and the industry of the company. These findings, while insightful, are less statistically significant due to the smaller sample size.

Stock exchanges are only open on business days, which means no weekends or holidays. Here’s a quick reference that roughly converts business days to total time:

While we use daily means to present our findings in this article, we additionally include polynomial trend lines in our visualizations to better represent the data.

Limitations

One of the biggest limitations to this study is sample size; there aren’t many companies that fit the criteria.

As with any financial market study, there is a huge slew of factors that could affect stock price which we cannot account for. While we’ve tried to minimize blindspots by comparing share price performance against that of the NASDAQ, there are bound to be some unexplained inconsistencies.

Two noteworthy factors that we did not cover in this analysis stood out most. The first: payouts. If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company’s customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue in class-action lawsuits. These usually result in settlements, in which the company forks out millions of dollars to reimburse customers for damages. This does not always happen and the amount paid out varies, so we simply don’t have enough data to fit a practical model that shows how these settlements affect stock prices.

The second is financial reports. This would perhaps warrant an entirely separate study. We analyzed the share price starting with the day prior to when a data breach was publicly disclosed. While a company might divulge what information was leaked and how many records were affected in that initial disclosure, other consequences might not be revealed until the company releases its requisite quarterly shareholder report. This could include loss of sales or users, diverting funds to invest in data security, or other important information related to the breach that could cause investors to jump ship.

What effect does a data breach have on share price?

Stock prices suffer following a breach, but perhaps not as much as one might assume. After 14 market days, or roughly three weeks, share prices drop -2.8% on average. After the first month, however, share prices recover, and the companies we examined actually performed better in the six months following a breach (+7.4%) than the six months prior (+4.1%).

We compared the average daily volatility for the six months prior to breach against the six months after. Average daily volatility across all stocks increased slightly from 0.362% to 0.375%.

The NASDAQ comparison gives a similar result. 14 market days after a breach, share price underperforms the NASDAQ by -4.2%, but after six months, the average share price performance recovers and even surpasses NASDAQ performance (+0.48% vs NASDAQ).

Long term effects of data breach on share price

In the longer term, share prices continue to grow, but not fast enough to keep up with the NASDAQ. After one year, share price has grown 8.38% on average, but underperforms the NASDAQ by -6.49%. After two years, average share price rose 12.78%, but underperformed the NASDAQ by -12.88%. And after three years, share price is up by 32.53% but down against the NASDAQ by -13.27%.

These findings seem to indicate that breaches have an overall negative effect on share price in the long term. However, it’s important to note two important factors that could influence the results. The first is that some of the companies we analyzed were breached relatively recently, so we don’t have a full three years worth of post-breach data for every company. The sample size at 3 years is smaller than the sample size at 6 months. Second, the further away in time we get from the breach, the more difficult it is to reasonably attribute changes in share price to said breach. In other words, we assume a data breach will have the greatest effect on share price immediately following the incident, and that effect will diminish over time. For this reason, we primarily focus on the six months before and after a breach is disclosed.

In the following analyses, we grouped the stocks together by different factors. These sections will primarily focus on the difference in share price performance versus the NASDAQ—not just share price fluctuation—over one year (see above for explanation). For each group, we note this statistic for the six months prior to breach, six months post-breach, and the price and number of market days it took for the stock to “bottom out” post-breach.

Time of breach

This analysis groups companies into three groups according to when they were breached. Our goal is to find out whether breaches have a larger or smaller impact on share prices over time.

The most notable result is older breaches met with a stronger negative reaction than newer breaches. One theory is that breaches were a relatively uncommon occurrence prior to 2012, but as time goes on they become more common. This causes a “breach fatigue”, or bed-of-nails effect, in which investors are less shaken by data breaches as time goes on.

Note that two companies, Heartland Payment Systems (HPY) and LinkedIn (LNKD) de-listed from the stock market after their breaches.

2011 or earlier: TJ Maxx, Countrywide, Monster, Health Net, Betfair, Sony

Share prices of companies breached prior to 2012 fell sharply against the NASDAQ, but it’s worth mentioning these stocks were already performing poorly in the six months prior to their breaches. Despite the downward trend and the sharp drop in the first few weeks post-breach, these stocks still performed better on average in the six months after breach than the six months prior.

Notably, these companies took the longest to recover, bottoming out 109 days following their breaches on average.

2012-2015: Apple, Adobe, Anthem, Community Health Systems, Ebay, Global Payments, Home Depot, Heartland Payment Systems, JP Morgan, Sony, Staples, Target, T-Mobile, Vodaphone, Yahoo

Companies breached from 2012 to 2015 were outperforming the NASDAQ by nearly 10% in the six months prior to their breaches. Post-breach, they still did better than the NASDAQ, but only by 1%. The initial drop directly following breaches was less severe on average than that of the earlier breaches.

2016 or later – Yahoo, LinkedIn, Equifax, Under Armour, Capital One, First American Financial, Marriot International, Dun & Bradstreet, Facebook

Stocks that suffered breaches since 2016 initially dropped against the NASDAQ by -6.3%, but they recovered more quickly than earlier breaches. Prior to the breach, they underperformed the NASDAQ by more than 9%. However, they recovered the quickest and ultimately outpace the NASDAQ six months later by 4%.

Industry

In these analyses, we explored how share prices were affected by data breaches in specific industries. We categorized each of the stocks into one of five verticals: healthcare, finance, technology, ecommerce and social media, and retail. Note that the samples for these are quite small, so while they may be of interest, they are not as statistically rooted as the more general analyses.

Finance and payments – JP Morgan Chase, Heartland Payment Systems, Countrywide, Global Payments, Equifax, Capital One, First American Financial

Finance-related companies were hit hard by data breaches, as one might expect. They suffered the largest initial downturn following breaches on average, sinking over 17% against the NASDAQ after 16 market days. Although the stocks performed better against the market post-breach than pre-breach, they still underperformed the NASDAQ by a difference of 2% after six months.

Technology: Sony, Apple, T-Mobile, Vodafone, VTech, Adobe

Technology stocks collectively take a significant initial hit, although not as much as those of finance companies. The initial fall in performance was more gradual than in other categories, not bottoming out until 40 market days. Prior to the breach, these companies outperformed the NASDAQ on average, but underperformed it in the six months after.

Ecommerce and social media: Yahoo, LinkedIn, BetFair, Monster, Dun & Bradstreet, Ebay, Facebook

Ecommerce and social media companies weren’t performing that well on average prior to their data breaches. But in the six months following, they managed to outperform the NASDAQ market index by over 10%. That’s in spite of a fairly sharp drop in average share price directly following their breaches.

Retail: Target, TJ Maxx, Home Depot, Staples, Under Armour, Marriott

This category includes some of the most high-profile data breaches in history, but despite that, they didn’t suffer much of an initial drop. Although they still underperformed the NASDAQ at the end of six months, that’s still an improvement on the prior six months.

Healthcare – Anthem, Health Net, Community Health Systems

We only analyzed four breaches among three healthcare companies, so our results should be taken with a big grain of salt in this category. Still, we though it worth including.

Healthcare companies suffered a 4% average drop in share price in the 14 market days following a breach. The six months before breach were better than the six months after, but in both cases these companies outperformed the NASDAQ on average. Performance is heavily swayed by the ups and downs of Health Net ($HNT).

Size of breach

This analysis groups each of the stocks by size of breach: 1-10 million records, 11 to 99 million records, and 100 million or more records breached. Our hypothesis was simple: the bigger the breach, the bigger the drop in share price. But the results actually surprised us.

Companies that suffered bigger breaches were able to shake it off and ultimately outperform the market, whereas companies with smaller breaches lagged behind six months on.

100 million or more records: Yahoo, Ebay, Heartland Payment Systems, LinkedIn, Equifax, Under Armour, Capital One, Marriott, First American, Facebook

Companies that leaked a huge amount of records suffered a sharp initial drop in performance against the NASDAQ as a result. They soon recovered, however, ultimately outpacing the NASDAQ by 12%, a significant improvement on the six months prior to breach. Performance was held aloft largely thanks to Heartland Payment Systems ($HPY).

10-99 million records: Anthem, Target, JP Morgan Chase, Sony, TJ Maxx, Home Depot, Adobe, Dun & Bradstreet, Apple, T-Mobile, Facebook

We see a gradual slight decline in share price performance among these stocks after they’ve been breached, but for the most part they keep pace with the NASDAQ.

A notable stock to observe here is Apple ($AAPL), which fell in sharp contrast to most of the others. While Apple did suffer a data breach, the fault for that breach was not directly Apple’s, but a law enforcement leak of Apple’s customer data. We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.

1-10 million records: Monster, RBS, Health Net, Global Payments, Vodafone, Staples, Community Health Systems

Smaller breaches had a similar negative impact on share price as the largest breaches in the immediate term, but share prices failed to recover. As you would expect—but not as is the norm—they performed worse in the six months following a breach than the six months prior.

Sensitivity of stolen info

This analysis groups stocks by the sensitivity of the data that was breached. Those that leaked the most sensitive information–credit cards and social securitn numbers–took a significant hit, while the damage to those that leaked passwords was miniscule.

Highly sensitive info – Target, Sony, Heartland Payment Systems, TJ Maxx, Home Depot, Global Payments, Staples, Community Health Systems, Equifax, Under Armour, Capital One, First American, Marriott

The first group is highly sensitive information, primarily credit and debit card numbers or social security numbers. When this information is leaked, there are direct consequences–identity theft and credit card fraud–that cannot be resolved with a quick fix from the company.

These companies witnessed a sharp drop in share price performance on average in the first two months following their breaches. They performed worse in the six months following a breach than the six months prior, but not by much.

Passwords, login info, and medical records – Ebay, Anthem, LinkedIn, Health Net

The second group includes unencrypted passwords, secret questions and answers, medical records, and other login information. This info could be used by hackers to access user accounts. While a company can simply require password resets in such a case, many people use the same password and login info on other sites. That means the information could indirectly cause someone’s other accounts to be hacked.

Stock prices for these companies didn’t drop in the wake of their breaches. Average performance was influenced heavily by LinkedIn, which was sold to Microsoft and de-listed from the NASDAQ in the year after its breach. Without it, prices would see a more gradual and steady increase, but an increase nonetheless. The six months following a breach were a huge improvement on the six months prior when compared to the market.

Usernames, email addresses, phone numbers, addresses – JP Morgan Chase, Yahoo, Adobe, Apple, Monster, Vodafone, Dun & Bradstreet, Facebook

Finally, the last group includes breaches of information that can’t be directly used by a hacker to access someone’s account, but could be used to target account holders with advertisements, scams, and phishing emails. This information includes email addresses, usernames, addresses, and phone numbers among other information.

Royal Bank of Scotland (RBS) and Monster (MWW) didn’t decline immediately after their breaches, so we don’t see a sharp drop until the second week. Performance continued to decline for two months. Six months on, these companies were back on track with the NASDAQ, though significantly worse than the six months prior.

The data breaches we analyzed

Below we’ve listed each of the companies and some details about their respective data breaches. Note that some companies suffered from multiple data breaches. In that case, we began our analysis from the business day prior to the earliest data breach. Most companies are listed on the NYSE, but some are listed on the London and Hong Kong stock exchanges. In that case, we did not include it in our NASDAQ comparison, only the normal share price analysis. If a company is listed on multiple stock exchanges, we opted for the NYSE data as it would be more closely aligned with the NASDAQ.

We chose to use the date of the day prior to disclosure according to the earliest possible media report, press release, or other available source online. Note, however, that the data breaches often took place much earlier. Once a hacker gains access, they can remain undetected for several weeks, months, and even years. Even after they are discovered and blocked, companies often wait weeks or months before publicly disclosing the breach.

Adobe ($ADBE)

Apple ($AAPL)

Anthem ($ANTM)

Capital One ($COF)

Community Health Systems ($CYH)

Dun & Bradstreet ($DNB)

Facebook ($FB)

First American Financial ($FAF)

Ebay ($EBAY)

Equifax ($EFX)

Global Payments ($GPN)

Health Net ($HNT)

Heartland Payment Systems ($HPY)

Home Depot ($HD)

JP Morgan Chase ($JPM)

LinkedIn ($LNKD)

Marriott International ($MAR)

Monster ($MWW)

Royal Bank of Scotland ($RBS)

Sony ($SNE)

Staples ($SPLS)

Target ($TGT)

TJ Maxx ($TJX)

T-Mobile ($TMUS)

Under Armour ($UAA)

Vodafone ($VOD)

Yahoo ($YHOO)

NASDAQ benchmark validation

We ran the same one-year overall comparison analysis that we used on the NASDAQ against the S&P 500. We did this to ensure that the NASDAQ comparison results are materially similar to other broad benchmarks. The S&P 500 is a fairly standard benchmark for overall market performance.

Here is the overall NASDAQ comparison for one year:

And here it is for the S&P 500:

The curve is slightly different but overall doesn’t vary much from the NASDAQ.

2017 vs 2018/19 studies

The 2018 and 2019 versions of this study are revisions of a similar study that we conducted in 2017. The 2018 modifications include:

The 2019 changes include:

In the 2018 study, we noted a slower decline in performance over time than in 2017. This is most likely to do with the introduction of new companies and breaches in the data set.

Charging Bull – New York City” by Sam valadi licensed under CC BY 2.0

How data breaches affect stock market share prices
Exit mobile version