Analysis: How data breaches affect stock market share prices (2018 update)

Published by on September 6, 2018 in Information Security

new york city charging bull

A data breach incurs serious consequences no matter whether a company is big or small. Staff get fired, executives issue apologies, and entire systems are overhauled to ensure that it doesn’t happen again. They instill doubt in consumers, damage the company’s reputation, and the impact can last for years. A data breach can harm both public sentiment and a company’s competitive edge in the market.

But how to investors react to data breaches? Does Wall Street punish companies that leak customer data? This is the question we will attempt to answer.

We analyzed the closing share prices of 24 companies, all of them listed on the New York Stock Exchange, starting the day prior to the public disclosure of their respective data breaches. Included are many of the largest data breaches in history; all of them resulted in at least 1 million records leaked, and some surpassed 100 million. Some companies were breached more than once, for a total of 28 breaches analyzed.

Some of our key findings include:

  • In the long term, breached companies underperformed the market. After 1 year, Share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%. It’s important to note the impact of data breaches likely diminishes over time.
  • Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 2.89% on average, and underperform the NASDAQ by -4.6%
  • After about a month, share prices rebound and catch up to NASDAQ performance on average
  • After the first month, the companies we analyzed actually performed better than they did prior to the breach. In the six months leading up to a breach, average share price grew 3.64%, compared to 7.02% following a breach. Similarly, the companies underperformed the NASDAQ by -1.53% leading up to the breach, but managed to outperform it by 0.09% afterward.
  • Finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected
  • Breaches that leak highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info

The companies include: Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, Ebay, Equifax, Experian, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo.

This study was revised in August 2018 to include more companies, improve the methodology, and create better, interactive visualizations. Read about those changes here.

Contents

Methodology

Excluding statistical outliers, we analyzed the share prices of these companies chosen on the following criteria:

  • They experienced a breach of 1 million or more records
  • They were publicly listed on the NYSE at time of breach disclosure
  • The breach has been publicly disclosed

At first, we simply looked at whether the share price went up or down, but this method fails to account for market forces beyond the scope of the study. To control for this, we opted to add a second stage to the analysis. In this stage, we compare the performance of each stock with the NASDAQ for the same time period, and calculate the difference in performance between them. The NASDAQ is a common standard for overall market performance, and most of these stocks are listed on it.  We used a NASDAQ composite index as a benchmark for the wider market. Here’s the formula:

(((Company prices on day X after breach)/(Company price on day prior to breach)-1)*100) - (((NASDAQ prices on day X after breach)/(NASDAQ on the day prior to breach)-1)*100)

Essentially, we anchor the NASDAQ index performance to zero. That means if a company’s stock fell 1% and the NASDAQ rose 2% in the month after a data breach, the calculated decrease is 3%. If the NASDAQ fell 2% and the company’s stock price rose 2%, we report an increase of 4%. If the NASDAQ rose 2% but the company only rose 1%, that’s a 1% decrease versus the market. Finally, if the company’s stock price falls 2% but the NASDAQ falls 3%, then the company still sees a relative increase of 1%.

In short, we make the NASDAQ’s performance the baseline instead of zero. We are primarily concerned with the following:

  • the effect of a data breach on closing share price at various time intervals
  • the percent difference in closing share price performance versus the NASDAQ over the same period of time from the day prior to a breach,
  • and how long it takes for a share price to “bottom out” after a breach.

Historical stock data were downloaded on in August 2018.

We analyzed all of the stocks together and then split them up by different factors to see if we could spot any patterns. These factors include the year of the breach, the size of the breach, the sensitivity of the leaked info, and the industry of the company. These findings, while insightful, are less statistically significant due to the smaller sample size.

Stock exchanges are only open on business days, which means no weekends or holidays. Here’s a quick reference that roughly converts business days to total time:

  • One year: 262 business days
  • 9 months: 198 business days
  • 6 months: 132 business days
  • 3 months: 66 business days
  • 1 month: 22 business days
  • 1 week: 5 business days

While we use daily means to present our findings in this article, we additionally include polynomial trend lines in our visualizations to better represent the data.

Limitations

One of the biggest limitations to this study is sample size; there aren’t many companies that fit the criteria.

As with any financial market study, there is a huge slew of factors that could affect stock price which we cannot account for. While we’ve tried to minimize blindspots by comparing share price performance against that of the NASDAQ, there are bound to be some unexplained inconsistencies.

Two noteworthy factors that we did not cover in this analysis stood out most. The first: payouts. If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company’s customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue in class-action lawsuits. These usually result in settlements, in which the company forks out millions of dollars to reimburse customers for damages. This does not always happen and the amount paid out varies, so we simply don’t have enough data to fit a practical model that shows how these settlements affect stock prices.

The second is financial reports. This would perhaps warrant an entirely separate study. We analyzed the share price starting with the day prior to when a data breach was publicly disclosed. While a company might divulge what information was leaked and how many records were affected in that initial disclosure, other consequences might not be revealed until the company releases its requisite quarterly shareholder report. This could include loss of sales or users, diverting funds to invest in data security, or other important information related to the breach that could cause investors to jump ship.

What effect does a data breach have on share price?

Stock prices suffer following a breach, but perhaps not as much as one might assume. After 14 market days, or roughly three weeks, share prices drop -2.89% on average. After the first month, however, share prices recover, and the companies we examined actually performed better in the six months following a breach (+7.02%) than the six months prior (+3.64%).

Average daily volatility across all stocks was 2.6%.

The NASDAQ comparison gives a similar result. 14 market days after a breach, share price underperforms the NASDAQ by -4.6%, but after a month (about market 22 days), they’re only down -1.76% against the NASDAQ. After 6 months, the average share price performance recovers and even surpasses NASDAQ performance (+0.09% vs NASDAQ).

Long term effects of data breach on share price

In the longer term, share prices continue to grow, but not fast enough to keep up with the NASDAQ. After one year, share price has grown 8.53% on average, but underperforms the NASDAQ by -3.7%. After two years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, share price is up by 28.71% but down against the NASDAQ by -15.58%.

These findings seem to indicate that breaches have an overall negative effect on share price in the long term. However, it’s important to note two important factors that could influence the results. The first is that some of the companies we analyzed were breached relatively recently, so we don’t have a full three years worth of post-breach data for every company. The sample size at 3 years is smaller than the sample size at 6 months. Second, the further away in time we get from the breach, the more difficult it is to reasonably attribute changes in share price to said breach. In other words, we assume a data breach will have the greatest effect on share price immediately following the incident, and that effect will diminish over time. For this reason, we primarily focus on the six months before and after a breach is disclosed.

In the following analyses, we grouped the stocks together by different factors. These sections will primarily focus on the difference in share price performance versus the NASDAQ—not just share price fluctuation—over one year (see above for explanation). For each group, we note this statistic for the six months prior to breach, six months post-breach, and the price and number of market days it took for the stock to “bottom out” post-breach.

Time of breach

This analysis groups companies into three groups according to when they were breached. Our goal is to find out whether breaches have a larger or smaller impact on share prices over time.

The most notable result is older breaches met with a stronger initial reaction than newer breaches. One theory is that breaches were a relatively uncommon occurrence prior to 2012, but as time goes on they become more common. This causes a “breach fatigue”, or bed-of-nails effect, in which investors are less shaken by data breaches as time goes on.

Beyond the initial change in share price, breaches didn’t seem to affect share price differently in the long term based on when they first happened. Share price performance varied too widely to discern any useful conclusion.

2011 or earlier: TJ Maxx, Countrywide, Monster, Health Net, Betfair, Sony

  • 6 months prior to breach: -15.71% vs NASDAQ
  • 6 months post-breach: -3.73% vs NASDAQ
  • Bottom: -11.91% vs NASDAQ on day 14

Share prices of companies breached prior to 2012 fell sharply against the NASDAQ, but it’s worth mentioning these stocks were already performing poorly in the six months prior to their breaches. Despite the downward trend and the sharp drop in the first few weeks post-breach, these stocks still performed better on average in the six months after breach than the six months prior.

2012-2014: Ebay, Target, Home Depot, Adobe, Apple, Global Payments, Vodafone, Dun & Bradstreet, Staples, Community Health Systems

  • 6 months prior to breach: +10.13% vs NASDAQ
  • 6 months post-breach: -3.00% vs NASDAQ
  • Bottom: N/A

Despite relatively large breaches, the average share price at these companies didn’t see any immediate loss in performance against the NASDAQ, which is why there’s no bottom. Instead, performance improved slightly and then waned slowly over the six months post-breach to slightly underperform the market. This is the exact opposite result of the older breaches, which companies took a hard initial hit to share price but then recovered to perform even better than the previous six months.

2015 or later – Yahoo, Anthem, JP Morgan Chase, Heartland Payment Systems, LinkedIn, Experian, T-Mobile, Equifax, Under Armour

  • 6 months prior to breach: -4.18% vs NASDAQ
  • 6 months post-breach: +7.00% vs NASDAQ
  • Bottom: -5.25% vs NASDAQ on day 9

Stocks that suffered breaches since 2015 initially dropped against the NASDAQ. Prior to the breach, they underperformed the NASDAQ slightly, but they recovered after their breaches to ultimately outpace the NASDAQ six months later.

Note that two companies, Heartland Payment Systems (HPY) and LinkedIn (LNKD) de-listed from the stock market after their breaches.

Industry

In these analyses, we explored how share prices were affected by data breaches in specific industries. We categorized each of the stocks into one of five verticals: healthcare, finance, technology, ecommerce and social media, and retail. Note that the samples for these are quite small, so while they may be of interest, they are not as statistically rooted as the more general analyses.

Finance and payments – JP Morgan Chase, Heartland Payment Systems, Countrywide, Experian, Global Payments, Equifax

  • 6 months prior to breach: -9.87% vs NASDAQ
  • 6 months post-breach: -2.07% vs NASDAQ
  • Bottom: -17.42% vs NASDAQ on day 16

Finance-related companies were hit hard by data breaches, as one might expect. They suffered the largest initial downturn following breaches on average, sinking over 17% against the NASDAQ after 16 market days. Although the stocks performed better against the market post-breach than pre-breach, they still underperformed the NASDAQ by a difference of 2% after six months.

Technology: Sony, Apple, T-Mobile, Vodafone, VTech, Adobe

  • 6 months prior to breach: +6.79% vs NASDAQ
  • 6 months post-breach: -4.48% vs NASDAQ
  • Bottom: -5.30% vs NASDAQ on day 40

Technology stocks collectively take a significant initial hit, although not as much as those of finance companies. The initial fall in performance was more gradual than in other categories, not bottoming out until 40 market days. Prior to the breach, these companies outperformed the NASDAQ on average, but underperformed it in the six months after.

Ecommerce and social media: Yahoo, LinkedIn, BetFair, Monster, Dun & Bradstreet, Ebay

  • 6 months prior to breach: -6.37% vs NASDAQ
  • 6 months post-breach: +10.37% vs NASDAQ
  • Bottom: -6.21% vs NASDAQ on day 10

Ecommerce and social media companies weren’t performing that well on average prior to their data breaches. But in the six months following, they managed to outperform the NASDAQ market index by over 10%. That’s in spite of a fairly sharp drop in average share price directly following their breaches.

Retail: Target, TJ Maxx, Home Depot, Staples, Under Armour

  • 6 months prior to breach: -1.46% vs NASDAQ
  • 6 months post-breach: -4.43% vs NASDAQ
  • Bottom: N/A

Even though this category includes some of the most high-profile data breaches in history, investors were unfazed. They suffered no immediate drop in share price performance after their breaches on average, and the six months post-breach were only marginally worse than the six months prior.

Healthcare – Anthem, Health Net, Community Health Systems

  • 6 months prior to breach: +4.76% vs NASDAQ
  • 6 months post-breach: +2.97% vs NASDAQ
  • Bottom: N/A

We only analyzed four breaches among three healthcare companies, so our results should be taken with a big grain of salt in this category. Still, we though it worth including. The breaches did not seem to have much affect on these companies.

There’s no initial drop in share price, which hits a low point about three months later, but it would be difficult to attribute that to drop to the breach. Ultimately, these stocks outperformed the NASDAQ on average, and the six months after breach wasn’t much less than he six months prior. Performance is heavily swayed by the ups and downs of Health Net ($HNT).

Size of breach

This analysis groups each of the stocks by size of breach: 1-10 million records, 11 to 99 million records, and 100 million or more records breached. Our hypothesis was simple: the bigger the breach, the bigger the drop in share price. But the results actually surprised us.

Companies that suffered bigger breaches were able to shake it off and ultimately outperform the market, whereas companies with smaller breaches lagged behind six months on.

100 million or more records: Yahoo, Ebay, Heartland Payment Systems, LinkedIn, Equifax, Under Armour

  • 6 months prior to breach: -3.03% vs NASDAQ
  • 6 months post-breach: +13.18% vs NASDAQ
  • Bottom: -7.33% vs NASDAQ on day 8

Companies that leaked a huge amount of records suffered a sharp initial drop in performance against the NASDAQ as a result. They soon recovered, however, ultimately outpacing the NASDAQ by 13%, a significant improvement on the six months prior to breach. Performance was held aloft largely thanks to Heartland Payment Systems ($HPY).

10-99 million records: Anthem, Target, JP Morgan Chase, Sony, TJ Maxx, Home Depot, Adobe, Dun & Bradstreet, Experian, Apple, T-Mobile

  • 6 months prior to breach: -1.34% vs NASDAQ
  • 6 months post-breach: -1.12% vs NASDAQ
  • Bottom: -3.14% vs NASDAQ on day 40

We see a gradual slight decline in share price performance among these stocks after they’ve been breached, but for the most part they keep pace with the NASDAQ.

A notable stock to observe here is Apple ($AAPL), which fell in sharp contrast to most of the others. While Apple did suffer a data breach, the fault for that breach was not directly Apple’s, but a law enforcement leak of Apple’s customer data. We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.

1-10 million records: Monster, RBS, Health Net, Global Payments, Vodafone, Staples, Community Health Systems

  • 6 months prior to breach: -0.36% vs NASDAQ
  • 6 months post-breach: -5.9% vs NASDAQ
  • Bottom: -8.8% vs NASDAQ on day 14

Smaller breaches had a similar negative impact on share price as the largest breaches in the immediate term, but share prices failed to recover. As you would expect—but not as is the norm—they performed worse in the six months following a breach than the six months prior.

Sensitivity of stolen info

This analysis groups stocks by the sensitivity of the data that was breached. Those that leaked the most sensitive information–credit cards and social securitn numbers–took a significant hit, while the damage to those that leaked passwords was miniscule.

Highly sensitive info – Target, Sony, Heartland Payment Systems, TJ Maxx, Home Depot, Experian, Global Payments, Staples, Community Health Systems, Equifax, Under Armour

  • 6 months prior to breach: -1.70% vs NASDAQ
  • 6 months post-breach: -3.18% vs NASDAQ
  • Bottom: -8.2% vs NASDAQ on day 14

The first group is highly sensitive information, primarily credit and debit card numbers or social security numbers. When this information is leaked, there are direct consequences–identity theft and credit card fraud–that cannot be resolved with a quick fix from the company.

These companies witnessed a sharp drop in share price performance on average in the first three weeks following their breaches. They performed worse in the six months following a breach than the six months prior, but not by much.

Passwords, login info, and medical records – Ebay, Anthem, LinkedIn, Health Net

  • 6 months prior to breach: -8.86% vs NASDAQ
  • 6 months post-breach: +11.02% vs NASDAQ
  • Bottom: N/A

The second group includes unencrypted passwords, secret questions and answers, medical records, and other login information. This info could be used by hackers to access user accounts. While a company can simply require password resets in such a case, many people use the same password and login info on other sites. That means the information could indirectly cause someone’s other accounts to be hacked.

Stock prices for these companies didn’t drop in the wake of their breaches. Average performance was influenced heavily by LinkedIn, which was sold to Microsoft and de-listed from the NASDAQ in the year after its breach. Without it, prices would see a more gradual and steady increase, but an increase nonetheless. The six months following a breach were a huge improvement on the six months prior when compared to the market.

Usernames, email addresses, phone numbers, addresses – JP Morgan Chase, Yahoo, Adobe, Apple, Monster, Vodafone, Dun & Bradstreet

  • 6 months prior to breach: -0.36% vs NASDAQ
  • 6 months post-breach: -5.9% vs NASDAQ
  • Bottom: -8.8% on day 14

Finally, the last group includes breaches of information that can’t be directly used by a hacker to access someone’s account, but could be used to target account holders with advertisements, scams, and phishing emails. This information includes email addresses, usernames, addresses, and phone numbers among other information.

Royal Bank of Scotland (RBS) and Monster (MWW) didn’t decline immediately after their breaches, so we don’t see a sharp drop until the second week. Six months on, these companies underperformed the NASDAQ by nearly 6%, significantly worse than the six months prior.

The data breaches we analyzed

Below we’ve listed each of the companies and some details about their respective data breaches. Note that some companies suffered from multiple data breaches. In that case, we began our analysis from the business day prior to the earliest data breach. Most companies are listed on the NYSE, but some are listed on the London and Hong Kong stock exchanges. In that case, we did not include it in our NASDAQ comparison, only the normal share price analysis. If a company is listed on multiple stock exchanges, we opted for the NYSE data as it would be more closely aligned with the NASDAQ.

We chose to use the date of the day prior to disclosure according to the earliest possible media report, press release, or other available source online. Note, however, that the data breaches often took place much earlier. Once a hacker gains access, they can remain undetected for several weeks, months, and even years. Even after they are discovered and blocked, companies often wait weeks or months before publicly disclosing the breach.

Adobe ($ADBE)

  • Oct 13, 2013 – 38 million active user records including 3 million encrypted credit card numbers breached September 17, 2013

Apple ($AAPL)

  • September 3, 2012 – 12 million unique device IDs stolen from an FBI agent’s laptop
  • We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.

Anthem ($ANTM)

  • February 4, 2015 – 80 million medical records breached in January 2015

Community Health Systems ($CYH)

  • August 18, 2014 – 4.5 million names, addresses, dates of birth, phone numbers, and Social Security Numbers breached between April and June

Dun & Bradstreet ($DNB)

  • March 15, 2017 – 33.6 million files containing details ranging from job title to email addressed breached
  • September 25, 2013 – D&B, Altegrity, and LexisNexis all report a breach going back to April including names, addresses, property records and vital statistics

Ebay ($EBAY)

  • May 21, 2014 – 145 million accounts breached in Feb/March 2014 including passwords

Equifax ($EFX)

  • Sept 17, 2017 – 143 million US consumers’ names, Social Security numbers, and dates of birth were exposed, sometimes including driver’s licenses and/or credit card numbers. Some Canadian and British customers were affected as well.

Experian ($EXPN)

  • Oct 1, 2015 – 15 million T-Mobile customer data breached from Experian including social security numbers

Global Payments ($GPN)

  • April 2, 2012 – 1.5 million credit and debit card numbers were breached in early March

Health Net ($HNT)

  • November 19, 2009 – A hard drive with seven years’ worth of personal financial and medical information of 1.5 million customers of Health Net of the Northeast Inc. went missing in May 2009
  • March 15, 2011 – Nine server drives containing names, addresses, Social Security numbers, financial information and health data of 1.9 million customers went missing from an IBM data center

Heartland Payment Systems ($HPY)

  • May 31, 2015 – 130 million credit cards breached on May 8, 2015

Home Depot ($HD)

  • September 18, 2014 – 56 million credit cards breached over a 5-month period

JP Morgan Chase ($JPM)

  • November 10, 2015 – 83 million account details including names, emails, postal addresses, and phone numbers breached in July/August 2014

LinkedIn ($LNKD)

  • May 18, 2016 – 117 million emails and passwords breached in 2012
  • Microsoft signed deal to acquire in June 2016 (share price skyrockets)
  • Delisted December 2016

Monster ($MWW)

  • August 21, 2007 – 1.3 million names, addresses, phone numbers and e-mail addresses of job seekers were breached five days prior to disclosure
  • January 23, 2009 – An unknown number of user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users’ states of residence were breached

Royal Bank of Scotland ($RBS)

  • December 29, 2008 – 1.5 million RBS Worldpay payroll and gift card holders’ card data was breached, 1.1 million of which also included social security records were breached on November 10, over a month earlier

Sony ($SNE)

  • November 24, 2014 – 10 million employee records including some social security numbers breached allegedly over a year-long period
  • April 26, 2011 – Sony Playstation Network and Online Entertainment breached 77 million accounts including some credit card data, discovered 7 days prior

Staples ($SPLS)

  • December 19, 2014 – 1.16 million credit and debit card numbers breached between April and September

Target ($TGT)

  • December 19, 2013 – 70 million card details breached in Nov-December 2015

TJ Maxx ($TJX)

  • March 29, 2007 – 45.6 million (others report 94 million) records of credit and debit card details breached starting in mid-2005 and lasted for 18 months

T-Mobile ($TMUS)

  • Oct 1, 2015 – 15 million T-Mobile customer data breached from Experian including social security numbers
  • April 10, 2008 – 17 million phone numbers, addresses, dates of birth and email addresses breached in 2006 (this was actually T-Mobile’s parent company, Deutsche Telekom, and thus not included in our calculations)

Under Armour ($UAA)

  • March 29, 2018 – 150 million user accounts for UnderArmour’s MyFitnessPal app were breached, leaking usernames, email addresses, and hashed passwords

Vodafone ($VOD)

  • September 12, 2013 – Over 2 million names, addresses, bank account numbers and birth dates breached

Yahoo ($YHOO)

  • September 22, 2016 – 500 million accounts breached in 2014
  • December 14, 2016 – 1 billion accounts breached in 2013
  • May 20, 2013 – 22 million user Yahoo Japan IDs breached on May 16 (note: Yahoo Japan is listed separately on the Tokyo Stock exchange and is not part of this analysis)

NASDAQ benchmark validation

We ran the same one-year overall comparison analysis that we used on the NASDAQ against the S&P 500. We did this to ensure that the NASDAQ comparison results are materially similar to other broad benchmarks. The S&P 500 is a fairly standard benchmark for overall market performance. 

Here is the overall NASDAQ comparison for one year:

breach_nasdaq_1_year_all

And here it is for the S&P 500:

The curve is slightly different but overall doesn’t vary much from the NASDAQ.

breach_snp_1_year_all

2017 vs 2018 studies

This 2018 study is a revision of a similar study that we conducted in 2017. The 2018 modifications include:

  • Added two new companies: Under Armour (UAA) and Equifax (EFX)
  • Removed three companies that are not listed on the NYSE to get a more uniform data set: Betfair, Countrywide, and VTech
  • If a company suffered two data breaches that meet the criteria, we analyzed both instead of just the latest one (SNE, HNT, TMUS)
  • Shifted focus to 6 months instead of 1-3 years. The effect of data breaches on share price diminishes over time, so we chose to look at a shorter period of time when changes in share price are more directly attributable to data breaches.
  • Included 6 months prior to breach to compare share price fluctuations before and after breach and add context.
  • Shifted focus more on the NASDAQ performance comparison and less on share price fluctuation
  • Improved visualizations with interactive features.

In the 2018 study, we noted a slower decline in performance over time than in 2017. This is most likely to do with the introduction of new companies and breaches in the data set.

Charging Bull – New York City” by Sam valadi licensed under CC BY 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.