A data breach incurs serious consequences no matter whether a company is big or small. Staff get fired, executives issue apologies, and entire systems are overhauled to ensure that it doesn’t happen again. They instill doubt in consumers, damage the company’s reputation, and the impact can last for years. A data breach can harm both public sentiment and a company’s competitive edge in the market.
But how do investors react to data breaches? Does Wall Street punish companies that leak customer data? This is the question we will attempt to answer.
We analyzed the closing share prices of 28 companies, all of them listed on the New York Stock Exchange, starting the day prior to the public disclosure of their respective data breaches. Included are many of the largest data breaches in history; all of them resulted in at least 1 million records leaked, and some surpassed 100 million. Some companies were breached more than once, for a total of 33 breaches analyzed.
Some of our key findings include:
- Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 7.27% on average, and underperform the NASDAQ by -4.18%
- Six months after a breach, the companies we analyzed actually performed better than they did in the six months prior. In the six months leading up to a breach, average share price grew 4.1%, compared to 7.4% following a breach. Similarly, the companies underperformed the NASDAQ by -1.65% leading up to the breach, but managed to outperform it by 0.48% six months after.
- In the long term, breached companies underperformed the market. After 1 year, Share price grew 8.38% on average, but underperformed the NASDAQ by -6.49%. After 2 years, average share price rose 12.78%, but underperformed the NASDAQ by -12.88%. And after three years, average share price is up by 32.53% but down against the NASDAQ by -13.27%. It’s important to note the impact of data breaches likely diminishes over time.
- After about a month, share prices rebound and catch up to NASDAQ performance on average
- Finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected
- Breaches that leak highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info
The companies include: Apple, Adobe, Anthem, Community Health Systems, Capital One, Dun & Bradstreet, Facebook, First American Financial, Ebay, Equifax, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Marriott International, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo.
This study was updated in September 2019 to include more companies, improve the methodology, and create better, interactive visualizations.
- 1 Methodology
- 2 What effect does a data breach have on share price?
- 3 Time of breach
- 3.1 2011 or earlier: TJ Maxx, Countrywide, Monster, Health Net, Betfair, Sony
- 3.2 2012-2015: Apple, Adobe, Anthem, Community Health Systems, Ebay, Global Payments, Home Depot, Heartland Payment Systems, JP Morgan, Sony, Staples, Target, T-Mobile, Vodaphone, Yahoo
- 3.3 2016 or later – Yahoo, LinkedIn, Equifax, Under Armour, Capital One, First American Financial, Marriot International, Dun & Bradstreet, Facebook
- 4 Industry
- 4.1 Finance and payments – JP Morgan Chase, Heartland Payment Systems, Countrywide, Global Payments, Equifax, Capital One, First American Financial
- 4.2 Technology: Sony, Apple, T-Mobile, Vodafone, VTech, Adobe
- 4.3 Ecommerce and social media: Yahoo, LinkedIn, BetFair, Monster, Dun & Bradstreet, Ebay, Facebook
- 4.4 Retail: Target, TJ Maxx, Home Depot, Staples, Under Armour, Marriott
- 4.5 Healthcare – Anthem, Health Net, Community Health Systems
- 5 Size of breach
- 5.1 100 million or more records: Yahoo, Ebay, Heartland Payment Systems, LinkedIn, Equifax, Under Armour, Capital One, Marriott, First American, Facebook
- 5.2 10-99 million records: Anthem, Target, JP Morgan Chase, Sony, TJ Maxx, Home Depot, Adobe, Dun & Bradstreet, Apple, T-Mobile, Facebook
- 5.3 1-10 million records: Monster, RBS, Health Net, Global Payments, Vodafone, Staples, Community Health Systems
- 6 Sensitivity of stolen info
- 6.1 Highly sensitive info – Target, Sony, Heartland Payment Systems, TJ Maxx, Home Depot, Global Payments, Staples, Community Health Systems, Equifax, Under Armour, Capital One, First American, Marriott
- 6.2 Passwords, login info, and medical records – Ebay, Anthem, LinkedIn, Health Net
- 6.3 Usernames, email addresses, phone numbers, addresses – JP Morgan Chase, Yahoo, Adobe, Apple, Monster, Vodafone, Dun & Bradstreet, Facebook
- 7 The data breaches we analyzed
- 7.1 Adobe ($ADBE)
- 7.2 Apple ($AAPL)
- 7.3 Anthem ($ANTM)
- 7.4 Capital One ($COF)
- 7.5 Community Health Systems ($CYH)
- 7.6 Dun & Bradstreet ($DNB)
- 7.7 Facebook ($FB)
- 7.8 First American Financial ($FAF)
- 7.9 Ebay ($EBAY)
- 7.10 Equifax ($EFX)
- 7.11 Global Payments ($GPN)
- 7.12 Health Net ($HNT)
- 7.13 Heartland Payment Systems ($HPY)
- 7.14 Home Depot ($HD)
- 7.15 JP Morgan Chase ($JPM)
- 7.16 LinkedIn ($LNKD)
- 7.17 Marriott International ($MAR)
- 7.18 Monster ($MWW)
- 7.19 Royal Bank of Scotland ($RBS)
- 7.20 Sony ($SNE)
- 7.21 Staples ($SPLS)
- 7.22 Target ($TGT)
- 7.23 TJ Maxx ($TJX)
- 7.24 T-Mobile ($TMUS)
- 7.25 Under Armour ($UAA)
- 7.26 Vodafone ($VOD)
- 7.27 Yahoo ($YHOO)
- 8 NASDAQ benchmark validation
- 9 2017 vs 2018/19 studies
Excluding statistical outliers, we analyzed the share prices of these companies chosen on the following criteria:
- They experienced a breach of 1 million or more records
- They were publicly listed on the NYSE at time of breach disclosure
- The breach has been publicly disclosed
At first, we simply looked at whether the share price went up or down, but this method fails to account for market forces beyond the scope of the study. To control for this, we opted to add a second stage to the analysis. In this stage, we compare the performance of each stock with the NASDAQ for the same time period, and calculate the difference in performance between them. The NASDAQ is a common standard for overall market performance, and most of these stocks are listed on it. We used a NASDAQ composite index as a benchmark for the wider market. Here’s the formula:
(((Company prices on day X after breach)/(Company price on day prior to breach)-1)*100) - (((NASDAQ prices on day X after breach)/(NASDAQ on the day prior to breach)-1)*100)
Essentially, we anchor the NASDAQ index performance to zero. That means if a company’s stock fell 1% and the NASDAQ rose 2% in the month after a data breach, the calculated decrease is 3%. If the NASDAQ fell 2% and the company’s stock price rose 2%, we report an increase of 4%. If the NASDAQ rose 2% but the company only rose 1%, that’s a 1% decrease versus the market. Finally, if the company’s stock price falls 2% but the NASDAQ falls 3%, then the company still sees a relative increase of 1%.
In short, we make the NASDAQ’s performance the baseline instead of zero. We are primarily concerned with the following:
- the effect of a data breach on closing share price at various time intervals
- the percent difference in closing share price performance versus the NASDAQ over the same period of time from the day prior to a breach,
- and how long it takes for a share price to “bottom out” after a breach.
Historical stock data was downloaded in September 2019.
We analyzed all of the stocks together and then split them up by different factors to see if we could spot any patterns. These factors include the year of the breach, the size of the breach, the sensitivity of the leaked info, and the industry of the company. These findings, while insightful, are less statistically significant due to the smaller sample size.
Stock exchanges are only open on business days, which means no weekends or holidays. Here’s a quick reference that roughly converts business days to total time:
- One year: 253 business days
- 9 months: 198 business days
- 6 months: 132 business days
- 3 months: 66 business days
- 1 month: 22 business days
- 1 week: 5 business days
While we use daily means to present our findings in this article, we additionally include polynomial trend lines in our visualizations to better represent the data.
One of the biggest limitations to this study is sample size; there aren’t many companies that fit the criteria.
As with any financial market study, there is a huge slew of factors that could affect stock price which we cannot account for. While we’ve tried to minimize blindspots by comparing share price performance against that of the NASDAQ, there are bound to be some unexplained inconsistencies.
Two noteworthy factors that we did not cover in this analysis stood out most. The first: payouts. If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company’s customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue in class-action lawsuits. These usually result in settlements, in which the company forks out millions of dollars to reimburse customers for damages. This does not always happen and the amount paid out varies, so we simply don’t have enough data to fit a practical model that shows how these settlements affect stock prices.
The second is financial reports. This would perhaps warrant an entirely separate study. We analyzed the share price starting with the day prior to when a data breach was publicly disclosed. While a company might divulge what information was leaked and how many records were affected in that initial disclosure, other consequences might not be revealed until the company releases its requisite quarterly shareholder report. This could include loss of sales or users, diverting funds to invest in data security, or other important information related to the breach that could cause investors to jump ship.
Stock prices suffer following a breach, but perhaps not as much as one might assume. After 14 market days, or roughly three weeks, share prices drop -7.3% on average. After the first month, however, share prices recover, and the companies we examined actually performed better in the six months following a breach (+7.4%) than the six months prior (+4.1%).
We compared the average daily volatility for the six months prior to breach against the six months after. Average daily volatility across all stocks increased slightly from 0.362% to 0.375%.
The NASDAQ comparison gives a similar result. 14 market days after a breach, share price underperforms the NASDAQ by -4.2%, but after six months, the average share price performance recovers and even surpasses NASDAQ performance (+0.48% vs NASDAQ).
In the longer term, share prices continue to grow, but not fast enough to keep up with the NASDAQ. After one year, share price has grown 8.38% on average, but underperforms the NASDAQ by -6.49%. After two years, average share price rose 12.78%, but underperformed the NASDAQ by -12.88%. And after three years, share price is up by 32.53% but down against the NASDAQ by -13.27%.
These findings seem to indicate that breaches have an overall negative effect on share price in the long term. However, it’s important to note two important factors that could influence the results. The first is that some of the companies we analyzed were breached relatively recently, so we don’t have a full three years worth of post-breach data for every company. The sample size at 3 years is smaller than the sample size at 6 months. Second, the further away in time we get from the breach, the more difficult it is to reasonably attribute changes in share price to said breach. In other words, we assume a data breach will have the greatest effect on share price immediately following the incident, and that effect will diminish over time. For this reason, we primarily focus on the six months before and after a breach is disclosed.
In the following analyses, we grouped the stocks together by different factors. These sections will primarily focus on the difference in share price performance versus the NASDAQ—not just share price fluctuation—over one year (see above for explanation). For each group, we note this statistic for the six months prior to breach, six months post-breach, and the price and number of market days it took for the stock to “bottom out” post-breach.
Time of breach
This analysis groups companies into three groups according to when they were breached. Our goal is to find out whether breaches have a larger or smaller impact on share prices over time.
The most notable result is older breaches met with a stronger negative reaction than newer breaches. One theory is that breaches were a relatively uncommon occurrence prior to 2012, but as time goes on they become more common. This causes a “breach fatigue”, or bed-of-nails effect, in which investors are less shaken by data breaches as time goes on.
Note that two companies, Heartland Payment Systems (HPY) and LinkedIn (LNKD) de-listed from the stock market after their breaches.
2011 or earlier: TJ Maxx, Countrywide, Monster, Health Net, Betfair, Sony
- 6 months prior to breach: -15.71% vs NASDAQ
- 6 months post-breach: -3.73% vs NASDAQ
- Bottom: -11.97% vs NASDAQ on day 109
Share prices of companies breached prior to 2012 fell sharply against the NASDAQ, but it’s worth mentioning these stocks were already performing poorly in the six months prior to their breaches. Despite the downward trend and the sharp drop in the first few weeks post-breach, these stocks still performed better on average in the six months after breach than the six months prior.
Notably, these companies took the longest to recover, bottoming out 109 days following their breaches on average.
2012-2015: Apple, Adobe, Anthem, Community Health Systems, Ebay, Global Payments, Home Depot, Heartland Payment Systems, JP Morgan, Sony, Staples, Target, T-Mobile, Vodaphone, Yahoo
- 6 months prior to breach: +9.99% vs NASDAQ
- 6 months post-breach: +0.99% vs NASDAQ
- Bottom: -1.96% vs NASDAQ on day 40
Companies breached from 2012 to 2015 were outperforming the NASDAQ by nearly 10% in the six months prior to their breaches. Post-breach, they still did better than the NASDAQ, but only by 1%. The initial drop directly following breaches was less severe on average than that of the earlier breaches.
2016 or later – Yahoo, LinkedIn, Equifax, Under Armour, Capital One, First American Financial, Marriot International, Dun & Bradstreet, Facebook
- 6 months prior to breach: -9.26% vs NASDAQ
- 6 months post-breach: +4.11% vs NASDAQ
- Bottom: -6.26% vs NASDAQ on day 9
Stocks that suffered breaches since 2016 initially dropped against the NASDAQ by -6.3%, but they recovered more quickly than earlier breaches. Prior to the breach, they underperformed the NASDAQ by more than 9%. However, they recovered the quickest and ultimately outpace the NASDAQ six months later by 4%.
In these analyses, we explored how share prices were affected by data breaches in specific industries. We categorized each of the stocks into one of five verticals: healthcare, finance, technology, ecommerce and social media, and retail. Note that the samples for these are quite small, so while they may be of interest, they are not as statistically rooted as the more general analyses.
Finance and payments – JP Morgan Chase, Heartland Payment Systems, Countrywide, Global Payments, Equifax, Capital One, First American Financial
- 6 months prior to breach: -6.42% vs NASDAQ
- 6 months post-breach: -4.71% vs NASDAQ
- Bottom: -16.7% vs NASDAQ on day 16
Finance-related companies were hit hard by data breaches, as one might expect. They suffered the largest initial downturn following breaches on average, sinking over 17% against the NASDAQ after 16 market days. Although the stocks performed better against the market post-breach than pre-breach, they still underperformed the NASDAQ by a difference of 2% after six months.
Technology: Sony, Apple, T-Mobile, Vodafone, VTech, Adobe
- 6 months prior to breach: +6.79% vs NASDAQ
- 6 months post-breach: -4.48% vs NASDAQ
- Bottom: -5.3% vs NASDAQ on day 40
Technology stocks collectively take a significant initial hit, although not as much as those of finance companies. The initial fall in performance was more gradual than in other categories, not bottoming out until 40 market days. Prior to the breach, these companies outperformed the NASDAQ on average, but underperformed it in the six months after.
- 6 months prior to breach: -6.1% vs NASDAQ
- 6 months post-breach: +9.87% vs NASDAQ
- Bottom: -5.13% vs NASDAQ on day 9
Ecommerce and social media companies weren’t performing that well on average prior to their data breaches. But in the six months following, they managed to outperform the NASDAQ market index by over 10%. That’s in spite of a fairly sharp drop in average share price directly following their breaches.
Retail: Target, TJ Maxx, Home Depot, Staples, Under Armour, Marriott
- 6 months prior to breach: -4.26% vs NASDAQ
- 6 months post-breach: -0.47% vs NASDAQ
- Bottom: -0.47% vs NASDAQ on day 132
This category includes some of the most high-profile data breaches in history, but despite that, they didn’t suffer much of an initial drop. Although they still underperformed the NASDAQ at the end of six months, that’s still an improvement on the prior six months.
Healthcare – Anthem, Health Net, Community Health Systems
- 6 months prior to breach: +4.76% vs NASDAQ
- 6 months post-breach: +2.97% vs NASDAQ
- Bottom: -3.15% vs NASDAQ on day 109
We only analyzed four breaches among three healthcare companies, so our results should be taken with a big grain of salt in this category. Still, we though it worth including.
Healthcare companies suffered a 4% average drop in share price in the 14 market days following a breach. The six months before breach were better than the six months after, but in both cases these companies outperformed the NASDAQ on average. Performance is heavily swayed by the ups and downs of Health Net ($HNT).
Size of breach
This analysis groups each of the stocks by size of breach: 1-10 million records, 11 to 99 million records, and 100 million or more records breached. Our hypothesis was simple: the bigger the breach, the bigger the drop in share price. But the results actually surprised us.
Companies that suffered bigger breaches were able to shake it off and ultimately outperform the market, whereas companies with smaller breaches lagged behind six months on.
100 million or more records: Yahoo, Ebay, Heartland Payment Systems, LinkedIn, Equifax, Under Armour, Capital One, Marriott, First American, Facebook
- 6 months prior to breach: -2.15% vs NASDAQ
- 6 months post-breach: +11.74% vs NASDAQ
- Bottom: -5.79% vs NASDAQ on day 9
Companies that leaked a huge amount of records suffered a sharp initial drop in performance against the NASDAQ as a result. They soon recovered, however, ultimately outpacing the NASDAQ by 12%, a significant improvement on the six months prior to breach. Performance was held aloft largely thanks to Heartland Payment Systems ($HPY).
10-99 million records: Anthem, Target, JP Morgan Chase, Sony, TJ Maxx, Home Depot, Adobe, Dun & Bradstreet, Apple, T-Mobile, Facebook
- 6 months prior to breach: -1.34% vs NASDAQ
- 6 months post-breach: -1.12% vs NASDAQ
- Bottom: -4.1% vs NASDAQ on day 45
We see a gradual slight decline in share price performance among these stocks after they’ve been breached, but for the most part they keep pace with the NASDAQ.
A notable stock to observe here is Apple ($AAPL), which fell in sharp contrast to most of the others. While Apple did suffer a data breach, the fault for that breach was not directly Apple’s, but a law enforcement leak of Apple’s customer data. We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.
1-10 million records: Monster, RBS, Health Net, Global Payments, Vodafone, Staples, Community Health Systems
- 6 months prior to breach: -0.36% vs NASDAQ
- 6 months post-breach: -5.9% vs NASDAQ
- Bottom: -11.28% vs NASDAQ on day 106
Smaller breaches had a similar negative impact on share price as the largest breaches in the immediate term, but share prices failed to recover. As you would expect—but not as is the norm—they performed worse in the six months following a breach than the six months prior.
Sensitivity of stolen info
This analysis groups stocks by the sensitivity of the data that was breached. Those that leaked the most sensitive information–credit cards and social securitn numbers–took a significant hit, while the damage to those that leaked passwords was miniscule.
Highly sensitive info – Target, Sony, Heartland Payment Systems, TJ Maxx, Home Depot, Global Payments, Staples, Community Health Systems, Equifax, Under Armour, Capital One, First American, Marriott
- 6 months prior to breach: -1.74% vs NASDAQ
- 6 months post-breach: -3.52% vs NASDAQ
- Bottom: -7.83% vs NASDAQ on day 40
The first group is highly sensitive information, primarily credit and debit card numbers or social security numbers. When this information is leaked, there are direct consequences–identity theft and credit card fraud–that cannot be resolved with a quick fix from the company.
These companies witnessed a sharp drop in share price performance on average in the first two months following their breaches. They performed worse in the six months following a breach than the six months prior, but not by much.
Passwords, login info, and medical records – Ebay, Anthem, LinkedIn, Health Net
- 6 months prior to breach: -8.86% vs NASDAQ
- 6 months post-breach: +11.02% vs NASDAQ
- Bottom: N/A
The second group includes unencrypted passwords, secret questions and answers, medical records, and other login information. This info could be used by hackers to access user accounts. While a company can simply require password resets in such a case, many people use the same password and login info on other sites. That means the information could indirectly cause someone’s other accounts to be hacked.
Stock prices for these companies didn’t drop in the wake of their breaches. Average performance was influenced heavily by LinkedIn, which was sold to Microsoft and de-listed from the NASDAQ in the year after its breach. Without it, prices would see a more gradual and steady increase, but an increase nonetheless. The six months following a breach were a huge improvement on the six months prior when compared to the market.
Usernames, email addresses, phone numbers, addresses – JP Morgan Chase, Yahoo, Adobe, Apple, Monster, Vodafone, Dun & Bradstreet, Facebook
- 6 months prior to breach: +3.57% vs NASDAQ
- 6 months post-breach: -0.11% vs NASDAQ
- Bottom: -3.12% on day 48
Finally, the last group includes breaches of information that can’t be directly used by a hacker to access someone’s account, but could be used to target account holders with advertisements, scams, and phishing emails. This information includes email addresses, usernames, addresses, and phone numbers among other information.
Royal Bank of Scotland (RBS) and Monster (MWW) didn’t decline immediately after their breaches, so we don’t see a sharp drop until the second week. Performance continued to decline for two months. Six months on, these companies were back on track with the NASDAQ, though significantly worse than the six months prior.
The data breaches we analyzed
Below we’ve listed each of the companies and some details about their respective data breaches. Note that some companies suffered from multiple data breaches. In that case, we began our analysis from the business day prior to the earliest data breach. Most companies are listed on the NYSE, but some are listed on the London and Hong Kong stock exchanges. In that case, we did not include it in our NASDAQ comparison, only the normal share price analysis. If a company is listed on multiple stock exchanges, we opted for the NYSE data as it would be more closely aligned with the NASDAQ.
We chose to use the date of the day prior to disclosure according to the earliest possible media report, press release, or other available source online. Note, however, that the data breaches often took place much earlier. Once a hacker gains access, they can remain undetected for several weeks, months, and even years. Even after they are discovered and blocked, companies often wait weeks or months before publicly disclosing the breach.
- Oct 13, 2013 – 38 million active user records including 3 million encrypted credit card numbers breached September 17, 2013
- September 3, 2012 – 12 million unique device IDs stolen from an FBI agent’s laptop
- We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.
- February 4, 2015 – 80 million medical records breached in January 2015
Capital One ($COF)
- July 30, 2019 – 100 million records, included bank account info, SSNs, and general account info, breached by a company employee
Community Health Systems ($CYH)
- August 18, 2014 – 4.5 million names, addresses, dates of birth, phone numbers, and Social Security Numbers breached between April and June
Dun & Bradstreet ($DNB)
- March 15, 2017 – 33.6 million files containing details ranging from job title to email addressed breached
- September 25, 2013 – D&B, Altegrity, and LexisNexis all report a breach going back to April including names, addresses, property records and vital statistics
- April 3, 2019 – 540 million records about Facebook users exposed by third-party app developers including account names, IDs, friends, photos, location checkins and details about comments and reactions to posts. 22,000 of these included account passwords.
- September 28, 2019 – 50 million Facebook accounts were compromised through stolen access tokens that allow attackers to hijack the accounts
First American Financial ($FAF)
- May 24, 2019 – 885 million records dating back 16 years exposed, including bank account numbers, statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images
- May 21, 2014 – 145 million accounts breached in Feb/March 2014 including passwords
- Sept 17, 2017 – 143 million US consumers’ names, Social Security numbers, and dates of birth were exposed, sometimes including driver’s licenses and/or credit card numbers. Some Canadian and British customers were affected as well.
Global Payments ($GPN)
- April 2, 2012 – 1.5 million credit and debit card numbers were breached in early March
Health Net ($HNT)
- November 19, 2009 – A hard drive with seven years’ worth of personal financial and medical information of 1.5 million customers of Health Net of the Northeast Inc. went missing in May 2009
- March 15, 2011 – Nine server drives containing names, addresses, Social Security numbers, financial information and health data of 1.9 million customers went missing from an IBM data center
Heartland Payment Systems ($HPY)
- May 31, 2015 – 130 million credit cards breached on May 8, 2015
Home Depot ($HD)
- September 18, 2014 – 56 million credit cards breached over a 5-month period
JP Morgan Chase ($JPM)
- November 10, 2015 – 83 million account details including names, emails, postal addresses, and phone numbers breached in July/August 2014
- May 18, 2016 – 117 million emails and passwords breached in 2012
- Microsoft signed deal to acquire in June 2016 (share price skyrockets)
- Delisted December 2016
Marriott International ($MAR)
- Novemer 30, 2018 – 500 million records from a reservation database including names, addresses, credit cards, phone numbers, passport numbers, and travel info dating back to 2014
- August 21, 2007 – 1.3 million names, addresses, phone numbers and e-mail addresses of job seekers were breached five days prior to disclosure
- January 23, 2009 – An unknown number of user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users’ states of residence were breached
Royal Bank of Scotland ($RBS)
- December 29, 2008 – 1.5 million RBS Worldpay payroll and gift card holders’ card data was breached, 1.1 million of which also included social security records were breached on November 10, over a month earlier
- November 24, 2014 – 10 million employee records including some social security numbers breached allegedly over a year-long period
- April 26, 2011 – Sony Playstation Network and Online Entertainment breached 77 million accounts including some credit card data, discovered 7 days prior
- December 19, 2014 – 1.16 million credit and debit card numbers breached between April and September
- December 19, 2013 – 70 million card details breached in Nov-December 2015
TJ Maxx ($TJX)
- March 29, 2007 – 45.6 million (others report 94 million) records of credit and debit card details breached starting in mid-2005 and lasted for 18 months
- Oct 1, 2015 – 15 million T-Mobile customer data breached from Experian including social security numbers
- April 10, 2008 – 17 million phone numbers, addresses, dates of birth and email addresses breached in 2006 (this was actually T-Mobile’s parent company, Deutsche Telekom, and thus not included in our calculations)
Under Armour ($UAA)
- March 29, 2018 – 150 million user accounts for UnderArmour’s MyFitnessPal app were breached, leaking usernames, email addresses, and hashed passwords
- September 12, 2013 – Over 2 million names, addresses, bank account numbers and birth dates breached
- September 22, 2016 – 500 million accounts breached in 2014
- December 14, 2016 – 1 billion accounts breached in 2013
- May 20, 2013 – 22 million user Yahoo Japan IDs breached on May 16 (note: Yahoo Japan is listed separately on the Tokyo Stock exchange and is not part of this analysis)
NASDAQ benchmark validation
We ran the same one-year overall comparison analysis that we used on the NASDAQ against the S&P 500. We did this to ensure that the NASDAQ comparison results are materially similar to other broad benchmarks. The S&P 500 is a fairly standard benchmark for overall market performance.
Here is the overall NASDAQ comparison for one year:
And here it is for the S&P 500:
The curve is slightly different but overall doesn’t vary much from the NASDAQ.
2017 vs 2018/19 studies
The 2018 and 2019 versions of this study are revisions of a similar study that we conducted in 2017. The 2018 modifications include:
- Added two new companies: Under Armour (UAA) and Equifax (EFX)
- Removed three companies that are not listed on the NYSE to get a more uniform data set: Betfair, Countrywide, and VTech
- If a company suffered two data breaches that meet the criteria, we analyzed both instead of just the latest one (SNE, HNT, TMUS)
- Shifted focus to 6 months instead of 1-3 years. The effect of data breaches on share price diminishes over time, so we chose to look at a shorter period of time when changes in share price are more directly attributable to data breaches.
- Included 6 months prior to breach to compare share price fluctuations before and after breach and add context.
- Shifted focus more on the NASDAQ performance comparison and less on share price fluctuation
- Improved visualizations with interactive features.
The 2019 changes include:
- Five more breaches from four companies: Facebook (FB), First American Financial (FAF), Capital One (COF), and Marriott Interational (MAR)
- Shifted the categories for “time of breach” comparison over by one year
In the 2018 study, we noted a slower decline in performance over time than in 2017. This is most likely to do with the introduction of new companies and breaches in the data set.