data breaches stock market share prices

A data breach incurs serious consequences no matter whether a company is big or small. Staff get fired, executives issue apologies, and entire systems are overhauled to ensure that it doesn’t happen again. They instill doubt in consumers, damage the company’s reputation, and the impact can last for years. A data breach can harm both public sentiment and a company’s competitive edge in the market.

But how do investors react to data breaches? Does Wall Street punish companies that leak customer data? This is the question we will attempt to answer.

We analyzed the closing share prices of 34 companies, all of them listed on the New York Stock Exchange, starting the day prior to the public disclosure of their respective data breaches. Included are many of the largest data breaches in history; all of them resulted in at least 1 million records leaked, and some surpassed 100 million. Some companies were breached more than once, for a total of 40 breaches analyzed.

Some of our key findings include:

  • Share prices of breached companies hit a low point approximately 110 market days following a breach. Share prices fall -3.5% on average, and underperform the NASDAQ by -3.5%
  • Six months after a breach, the companies we analyzed performed worse than they did in the six months prior—just barely. 21 out of 40 breaches resulted in worse stock performance versus the NASDAQ in the six months after a breach than they did in the six months prior. In the six months leading up to a breach, average share price grew +2.6%, compared to -3.0% following a breach. The companies underperformed the NASDAQ by -2.6% leading up to the breach, slightly better than the -3.0% underperformance six months after.
  • In the long term, breached companies underperformed the market. After 1 year, Share price fell -8.6% on average, and underperformed the NASDAQ by -8.6%. After 2 years, average share price fell -11.3%, and underperformed the NASDAQ by -11.9%. And after three years, average share price is down by -15.6% and down against the NASDAQ by -15.6%. It’s important to note the impact of data breaches likely diminishes over time.
  • Tech and finance companies saw the largest drop in share price performance following a breach, while ecommerce and social media companies were least affected
  • Breaches that leak highly sensitive information like credit card and social security numbers see more immediate drops in share price performance on average than companies that leak less sensitive info, but in the long term they do not necessarily suffer more

The companies include: Apple, Adobe, Anthem, Community Health Systems, Capital One, Dun & Bradstreet, Estee Lauder, Facebook, First American Financial, Ebay, Equifax, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LabCorp, LinkedIn, Marriott International, MGM Resorts, Microsoft, Monster, Quest Diagnostics, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, Walgreens, Yahoo, and Zynga.

Methodology

Excluding statistical outliers, we analyzed the share prices of these companies chosen on the following criteria:

  • They experienced a breach of 1 million or more records
  • They were publicly listed on the NYSE at time of breach disclosure
  • The breach has been publicly disclosed

At first, we simply looked at whether the share price went up or down, but this method fails to account for market forces beyond the scope of the study. To control for this, we opted to add a second stage to the analysis. In this stage, we compare the performance of each stock with the NASDAQ for the same time period, and calculate the difference in performance between them. The NASDAQ is a common standard for overall market performance, and most of these stocks are listed on it. We used a NASDAQ composite index as a benchmark for the wider market. Here’s the formula:

(((Company prices on day X after breach)/(Company price on day prior to breach)-1)*100) - (((NASDAQ prices on day X after breach)/(NASDAQ on the day prior to breach)-1)*100)

Essentially, we anchor the NASDAQ index performance to zero. That means if a company’s stock fell 1% and the NASDAQ rose 2% in the month after a data breach, the calculated decrease is 3%. If the NASDAQ fell 2% and the company’s stock price rose 2%, we report an increase of 4%. If the NASDAQ rose 2% but the company only rose 1%, that’s a 1% decrease versus the market. Finally, if the company’s stock price falls 2% but the NASDAQ falls 3%, then the company still sees a relative increase of 1%.

In short, we make the NASDAQ’s performance the baseline instead of zero. We are primarily concerned with the following:

  • the effect of a data breach on closing share price at various time intervals
  • the percent difference in closing share price performance versus the NASDAQ over the same period of time from the day prior to a breach,
  • and how long it takes for a share price to “bottom out” after a breach.

Historical stock data was downloaded in September 2019.

We analyzed all of the stocks together and then split them up by different factors to see if we could spot any patterns. These factors include the year of the breach, the size of the breach, the sensitivity of the leaked info, and the industry of the company. These findings, while insightful, are less statistically significant due to the smaller sample size.

Stock exchanges are only open on business days, which means no weekends or holidays. Here’s a quick reference that roughly converts business days to total time:

  • One year: 253 business days
  • 9 months: 198 business days
  • 6 months: 132 business days
  • 3 months: 66 business days
  • 1 month: 22 business days
  • 1 week: 5 business days

While we use daily means to present our findings in this article, we additionally include polynomial trend lines in our visualizations to better represent the data.

Limitations

One of the biggest limitations to this study is sample size; there aren’t many companies that fit the criteria.

As with any financial market study, there is a huge slew of factors that could affect stock price which we cannot account for. While we’ve tried to minimize blindspots by comparing share price performance against that of the NASDAQ, there are bound to be some unexplained inconsistencies.

Two noteworthy factors that we did not cover in this analysis stood out most. The first: payouts. If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company’s customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue in class-action lawsuits. These usually result in settlements, in which the company forks out millions of dollars to reimburse customers for damages. This does not always happen and the amount paid out varies, so we simply don’t have enough data to fit a practical model that shows how these settlements affect stock prices.

The second is financial reports. This would perhaps warrant an entirely separate study. We analyzed the share price starting with the day prior to when a data breach was publicly disclosed. While a company might divulge what information was leaked and how many records were affected in that initial disclosure, other consequences might not be revealed until the company releases its requisite quarterly shareholder report. This could include loss of sales or users, diverting funds to invest in data security, or other important information related to the breach that could cause investors to jump ship.

What effect does a data breach have on share price?

Stock prices suffer following a breach, but perhaps not as much as one might assume. After 14 market days, or roughly three weeks, share prices drop -3.5% on average. In the six months leading up to a breach, average share price grew +2.6%, compared to -3.0% following a breach. However, the companies underperformed the NASDAQ by -2.6% leading up to the breach, slightly better than the -3.0% underperformance six months after.

The NASDAQ comparison gives a similar result. 14 market days after a breach, average share price bottoms out and underperforms the NASDAQ by -3.5%. After six months, the average share price performance falls -3.0% against the NASDAQ.

We compared the average daily volatility for the six months prior to breach against the six months after. Average daily volatility across all stocks decreased slightly from 0.405% to 0.349%

Long term effects of data breach on share price


In the long term, breached companies underperformed the market. After 1 year, Share price fell -8.6% on average, and underperformed the NASDAQ by -8.6%. After 2 years, average share price fell -11.3%, and underperformed the NASDAQ by -11.9%. And after three years, average share price is down by -15.6% and down against the NASDAQ by -15.6%.

These findings seem to indicate that breaches have an overall negative effect on share price in the long term. However, it’s important to note two important factors that could influence the results. The first is that some of the companies we analyzed were breached relatively recently, so we don’t have a full three years worth of post-breach data for every company. The sample size at three years is smaller than the sample size at six months. Second, the further away in time we get from the breach, the more difficult it is to reasonably attribute changes in share price to said breach. In other words, we assume a data breach will have the greatest effect on share price immediately following the incident, and that effect will diminish over time. For this reason, we primarily focus on the six months before and after a breach is disclosed.

In the following analyses, we grouped the stocks together by different factors. These sections will primarily focus on the difference in share price performance versus the NASDAQ—not just share price fluctuation—over one year (see above for explanation). For each group, we note this statistic for the six months prior to breach, six months post-breach, and the price and number of market days it took for the stock to “bottom out” post-breach.

Time of breach

This analysis groups companies into three groups according to when they were breached. Our goal is to find out whether breaches have a larger or smaller impact on share prices over time.

The most notable result is older breaches met with a stronger negative reaction than newer breaches. One theory is that breaches were a relatively uncommon occurrence prior to 2012, but as time goes on they become more common. This causes a “breach fatigue”, or bed-of-nails effect, in which investors are less shaken by data breaches as time goes on.

Note that two companies, Heartland Payment Systems ($HPY) and LinkedIn ($LNKD) de-listed from the stock market after their breaches.

2012 or earlier: Apple, Global Payment Systems, Health Net, Monster, Royal Bank of Scotland, Sony, TJX, and T-Mobile

  • 6 months prior to breach: -10.6% vs NASDAQ
  • 6 months post-breach: -8.0% vs NASDAQ
  • Bottom: -14.46% vs NASDAQ on day 109

Share prices of companies breached in 2012 or earlier fell sharply against the NASDAQ, but it’s worth mentioning these stocks were already performing poorly in the six months prior to their breaches. Despite the downward trend and the sharp drop in the first few weeks post-breach, these stocks still performed better on average in the six months after breach than the six months prior.

Notably, these companies took the longest to recover, bottoming out 109 days following their breaches on average.

2013-2016: Adobe, Anthem, Community Health Systems, Ebay, Home Depot, Heartland Payment Systems, JP Morgan, LinkedIn, Sony, Staples, Target, T-Mobile, Vodafone, Yahoo

  • 6 months prior to breach: +6.3% vs NASDAQ
  • 6 months post-breach: +7.1% vs NASDAQ
  • Bottom: -1.5% vs NASDAQ on day 5

Companies breached from 2013 to 2016 performed better in the six months following a breach than in the six months prior, but by less than a 1% difference. The initial drop directly following breaches was less severe on average than that of the earlier breaches.

Yahoo reported two separate data breaches during this period.

2017 or later – Yahoo, LinkedIn, Equifax, Under Armour, Capital One, First American Financial, Marriot International, Dun & Bradstreet, Facebook

  • 6 months prior to breach: -7.36% vs NASDAQ
  • 6 months post-breach: -8.94% vs NASDAQ
  • Bottom: -10.0% vs NASDAQ on day 100

Stocks that suffered breaches since 2017 saw their performance versus the NASDAQ bottom out 100 days after disclosure. Performance following a breach was slightly poorer than prior to a breach.

Breaches that occurred in the late 20-teens were met with a stronger negative reaction than those in the mid-teens, but they still performed better than companies breached prior to 2013.

Industry

In these analyses, we explored how share prices were affected by data breaches in specific industries. We categorized each of the stocks into one of five verticals: healthcare, finance, technology, ecommerce and social media, and retail and hospitality. Note that the samples for these are quite small, so while they may be of interest, they are not as statistically rooted as the more general analyses.

Finance and payments – JP Morgan Chase, Heartland Payment Systems, Countrywide, Global Payments, Equifax, Capital One, First American Financial

  • 6 months prior to breach: -6.5% vs NASDAQ
  • 6 months post-breach: -4.2% vs NASDAQ
  • Bottom: -16.7% vs NASDAQ on day 16

Finance-related companies were hit hard by data breaches, as one might expect. They suffered the largest immediate downturn following breaches on average, sinking nearly 17% against the NASDAQ after 16 market days. Although the stocks performed better against the market post-breach than pre-breach, they still underperformed the NASDAQ after six months.

Technology: Sony, Apple, T-Mobile, Vodafone, VTech, Adobe, Microsoft, Zynga

  • 6 months prior to breach: +6.4% vs NASDAQ
  • 6 months post-breach: +0.4% vs NASDAQ
  • Bottom: -2.9% vs NASDAQ on day 98

Technology stocks had the biggest difference in stock prices between the six months prior to a breach and six months following. The initial fall in performance was more gradual than in other categories, not bottoming out until 98 market days. Prior to the breach, these companies significantly outperformed the NASDAQ on average. Following a breach, they barely kept up.

Ecommerce and social media: Yahoo, LinkedIn, Monster, Dun & Bradstreet, Ebay, Facebook

  • 6 months prior to breach: -5.61% vs NASDAQ
  • 6 months post-breach: +9.3% vs NASDAQ
  • Bottom: -4.56% vs NASDAQ on day 9

Ecommerce and social media companies weren’t performing that well on average prior to their data breaches. But in the six months following, they managed to outperform the NASDAQ market index by nearly 10%. That’s in spite of a fairly sharp drop in average share price directly following their breaches. In the long term, it seems ecommerce and social media stocks are the most resilient after data breaches.

Retail and Hospitality: Target, TJ Maxx, Home Depot, Staples, Under Armour, Marriott, Estee Lauder, MGM Resorts, Walgreens

  • 6 months prior to breach: -8.7% vs NASDAQ
  • 6 months post-breach: -14.32% vs NASDAQ
  • Bottom: -14.81% vs NASDAQ on day 125

Retail and hospitality companies’ share prices weren’t doing too well on the stock market prior to their breaches, and they performed even worse after the fact. Their share prices never really bottomed out in the first six months, and performance continued to slide throughout the period. This group of stocks includes some of the largest and most severe data breaches in history. Marriot suffered two breaches that met our criteria.

Healthcare – Anthem, Health Net, Community Health Systems, Quest Diagnostics, LabCorp

  • 6 months prior to breach: +2.2% vs NASDAQ
  • 6 months post-breach: -1.94% vs NASDAQ
  • Bottom: -6.0% vs NASDAQ on day 109

Healthcare companies suffered a gradual -6% average decline in share price against the NASDAQ following a breach, though it managed to rebound to -1.94% by the end of six months. The six months before breach were better than the six months after. Performance is heavily swayed by the ups and downs of Health Net ($HNT).

Size of breach

This analysis groups each of the stocks by size of breach: 1-10 million records, 11 to 99 million records, and 100 million or more records breached. Our hypothesis was simple: the bigger the breach, the bigger the drop in share price. But the results actually surprised us.

Companies that suffered bigger breaches were able to shake it off and ultimately outperform the market, whereas companies with smaller breaches lagged behind six months on.

100 million or more records: Yahoo, Ebay, Heartland Payment Systems, LinkedIn, Equifax, Under Armour, Capital One, Marriott, First American, Facebook, Zynga, Estee Lauder, Microsoft, MGM

  • 6 months prior to breach: -1.65% vs NASDAQ
  • 6 months post-breach: +7.8% vs NASDAQ
  • Bottom: -3.6% vs NASDAQ on day 9

Companies that leaked a huge amount of records suffered a sharp initial drop in performance against the NASDAQ as a result. They soon recovered, however, ultimately outpacing the NASDAQ by 8%, a significant improvement on the six months prior to breach. Performance was held aloft largely thanks to Heartland Payment Systems ($HPY).

10-99 million records: Anthem, Target, JP Morgan Chase, Sony, TJ Maxx, Home Depot, Adobe, Dun & Bradstreet, Apple, T-Mobile, Facebook, Walgreens, Quest Diagnostics

  • 6 months prior to breach: -3.0% vs NASDAQ
  • 6 months post-breach: -5.1% vs NASDAQ
  • Bottom: -5.9% vs NASDAQ on day 128

We see a gradual decline in share price performance among these stocks after they’ve been breached, and they did not recover much in the following six months.

A notable stock to observe here is Apple ($AAPL), which fell in sharp contrast to most of the others. While Apple did suffer a data breach, the fault for that breach was not directly Apple’s, but a law enforcement leak of Apple’s customer data. We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.

1-10 million records: Monster, RBS, Health Net, Global Payments, Vodafone, Staples, Community Health Systems, Marriott, LabCorp

  • 6 months prior to breach: -0.36% vs NASDAQ
  • 6 months post-breach: -9.0% vs NASDAQ
  • Bottom: -13.2% vs NASDAQ on day 109

Smaller breaches had a similar negative impact on share price as the largest breaches in the immediate term, but share prices failed to recover. As you would expect—but not as is the norm—they performed worse in the six months following a breach than the six months prior.

Sensitivity of stolen info

This analysis groups stocks by the sensitivity of the data that was breached. Those that leaked the most sensitive information–credit cards and Social Security numbers–took a significant hit, while the damage to those that leaked passwords was miniscule.

Highly sensitive info – Target, Sony, Heartland Payment Systems, TJ Maxx, Home Depot, Global Payments, Staples, Community Health Systems, Equifax, Capital One, First American, Marriott, Quest Diagnostics

  • 6 months prior to breach: -1.74% vs NASDAQ
  • 6 months post-breach: -3.7% vs NASDAQ
  • Bottom: -7.3% vs NASDAQ on day 13

The first group is highly sensitive information, primarily credit and debit card numbers or Social Security numbers. When this information is leaked, there are direct consequences–identity theft and credit card fraud–that cannot be resolved with a quick fix from the company.

These companies witnessed a sharp drop in share price performance on average in the first two months following their breaches. They performed worse in the six months following a breach than the six months prior, but not by much.

Passwords, login info, and medical records – Ebay, Anthem, LinkedIn, Health Net, Facebook, Walgreens, Zynga

  • 6 months prior to breach: -8.2% vs NASDAQ
  • 6 months post-breach: +11.02% vs NASDAQ
  • Bottom: -1.2% on day 100

The second group includes unencrypted passwords, secret questions and answers, medical records, and other login information. This info could be used by hackers to access user accounts. While a company can simply require password resets in such a case, many people use the same password and login info on other sites. That means the information could indirectly cause someone’s other accounts to be hacked.

Stock prices for these companies didn’t drop much in the wake of their breaches. Average performance was influenced heavily by LinkedIn, which was sold to Microsoft and de-listed from the NASDAQ in the year after its breach. Without it, prices would see a more gradual and steady increase, but an increase nonetheless. The six months following a breach were a huge improvement on the six months prior when compared to the market.

Usernames, email addresses, phone numbers, addresses – JP Morgan Chase, Yahoo, Adobe, Apple, Monster, Vodafone, Dun & Bradstreet, Facebook, Estee Lauder, LabCorp, MGM Resorts, Microsoft, Marriott, Under Armour

  • 6 months prior to breach: -0.8% vs NASDAQ
  • 6 months post-breach: -6.6% vs NASDAQ
  • Bottom: N/A

Finally, the last group includes breaches of information that can’t be directly used by a hacker to access someone’s account, but could be used to target account holders with advertisements, scams, and phishing emails. This information includes email addresses, usernames, addresses, and phone numbers among other information.

Average stock performance versus the NASDAQ suffered in the six months following a breach and never bottoms out in that time. Share prices suffered more than those in the more sensitive categories, though the immediate decline was not as sharp.

The data breaches we analyzed

Below we’ve listed each of the companies and some details about their respective data breaches. Note that some companies suffered from multiple data breaches. In that case, we began our analysis from the business day prior to the earliest data breach. Most companies are listed on the NYSE, but some are listed on the London and Hong Kong stock exchanges. In that case, we did not include it in our NASDAQ comparison, only the normal share price analysis. If a company is listed on multiple stock exchanges, we opted for the NYSE data as it would be more closely aligned with the NASDAQ.

We chose to use the date of the day prior to disclosure according to the earliest possible media report, press release, or other available source online. Note, however, that the data breaches often took place much earlier. Once a hacker gains access, they can remain undetected for several weeks, months, and even years. Even after they are discovered and blocked, companies often wait weeks or months before publicly disclosing the breach.

Adobe ($ADBE)

  • Oct 13, 2013 – 38 million active user records including 3 million encrypted credit card numbers breached September 17, 2013

Apple ($AAPL)

  • September 3, 2012 – 12 million unique device IDs stolen from an FBI agent’s laptop
  • We surmise Appleā€™s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.

Anthem ($ANTM)

  • February 4, 2015 – 80 million medical records breached in January 2015

Capital One ($COF)

  • July 30, 2019 – 100 million records, included bank account info, SSNs, and general account info, breached by a company employee

Community Health Systems ($CYH)

  • August 18, 2014 – 4.5 million names, addresses, dates of birth, phone numbers, and Social Security Numbers breached between April and June

Dun & Bradstreet ($DNB)

  • March 15, 2017 – 33.6 million files containing details ranging from job title to email addressed breached
  • September 25, 2013 – D&B, Altegrity, and LexisNexis all report a breach going back to April including names, addresses, property records and vital statistics

Facebook ($FB)

  • April 3, 2019 – 540 million records about Facebook users exposed by third-party app developers including account names, IDs, friends, photos, location checkins and details about comments and reactions to posts. 22,000 of these included account passwords.
  • September 28, 2019 – 50 million Facebook accounts were compromised through stolen access tokens that allow attackers to hijack the accounts

First American Financial ($FAF)

  • May 24, 2019 – 885 million records dating back 16 years exposed, including bank account numbers, statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images

Ebay ($EBAY)

  • May 21, 2014 – 145 million accounts breached in Feb/March 2014 including passwords

Equifax ($EFX)

  • Sept 17, 2017 – 143 million US consumers’ names, Social Security numbers, and dates of birth were exposed, sometimes including driver’s licenses and/or credit card numbers. Some Canadian and British customers were affected as well.

Estee Lauder ($EL)

  • February 11, 2020 – 440 million breached customer records included email addresses, IP addresses, ports, pathways, and storage info

Global Payments ($GPN)

  • April 2, 2012 – 1.5 million credit and debit card numbers were breached in early March

Health Net ($HNT)

  • November 19, 2009 – A hard drive with seven years’ worth of personal financial and medical information of 1.5 million customers of Health Net of the Northeast Inc. went missing in May 2009
  • March 15, 2011 – Nine server drives containing names, addresses, Social Security numbers, financial information and health data of 1.9 million customers went missing from an IBM data center

Heartland Payment Systems ($HPY)

  • May 31, 2015 – 130 million credit cards breached on May 8, 2015

Home Depot ($HD)

  • September 18, 2014 – 56 million credit cards breached over a 5-month period

JP Morgan Chase ($JPM)

  • November 10, 2015 – 83 million account details including names, emails, postal addresses, and phone numbers breached in July/August 2014

LabCorp ($LH)

  • June 4, 2019 – 7.7 million patient records were breached including names, email addresses, dates of birth, and account balances

LinkedIn ($LNKD)

  • May 18, 2016 – 117 million emails and passwords breached in 2012
  • Microsoft signed deal to acquire in June 2016 (share price skyrockets)
  • Delisted December 2016

Marriott International ($MAR)

  • Novemer 30, 2018 – 500 million records from a reservation database including names, addresses, credit cards, phone numbers, passport numbers, and travel info dating back to 2014
  • March 31, 2020 – 5.2 million customer records were breached including names, addresses, emails, phone numbers, loyalty account numbers, point balances, company, gender, date of birth, linked loyalty programs and numbers, room preferences, and language

MGM Resorts ($MGM)

  • February 20, 2020 – 142 million records including names, addresses, phone numbers, email addresses, and dates of birth were breached

Microsoft ($MSFT)

  • January 22, 2020 – 280 million breached records included email addresses, IP addresses, and support case details

Monster ($MWW)

  • August 21, 2007 – 1.3 million names, addresses, phone numbers and e-mail addresses of job seekers were breached five days prior to disclosure
  • January 23, 2009 – An unknown number of user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users’ states of residence were breached

Quest Diagnostics ($DGX)

  • June 3, 2019 – 12 million patient records were breached including financial account information, Social Security numbers, and healthcare information

Royal Bank of Scotland ($RBS)

  • December 29, 2008 – 1.5 million RBS Worldpay payroll and gift card holders’ card data was breached, 1.1 million of which also included social security records were breached on November 10, over a month earlier

Sony ($SNE)

  • November 24, 2014 – 10 million employee records including some social security numbers breached allegedly over a year-long period
  • April 26, 2011 – Sony Playstation Network and Online Entertainment breached 77 million accounts including some credit card data, discovered 7 days prior

Staples ($SPLS)

  • December 19, 2014 – 1.16 million credit and debit card numbers breached between April and September

Target ($TGT)

  • December 19, 2013 – 70 million card details breached in Nov-December 2015

TJ Maxx ($TJX)

  • March 29, 2007 – 45.6 million (others report 94 million) records of credit and debit card details breached starting in mid-2005 and lasted for 18 months

T-Mobile ($TMUS)

  • Oct 1, 2015 – 15 million T-Mobile customer data breached from Experian including social security numbers
  • April 10, 2008 – 17 million phone numbers, addresses, dates of birth and email addresses breached in 2006 (this was actually T-Mobile’s parent company, Deutsche Telekom, and thus not included in our calculations)

Under Armour ($UAA)

  • March 29, 2018 – 150 million user accounts for UnderArmour’s MyFitnessPal app were breached, leaking usernames, email addresses, and hashed passwords

Vodafone ($VOD)

  • September 12, 2013 – Over 2 million names, addresses, bank account numbers and birth dates breached

Walgreens ($WBA)

  • March 2, 2020 – A store app with 10 million downloads leaked names, prescription numbers, drug names, store numbers, addresses, and personal messages. The exact number of customers affected was not disclosed.

Yahoo ($YHOO)

  • September 22, 2016 – 500 million accounts breached in 2014
  • December 14, 2016 – 1 billion accounts breached in 2013
  • May 20, 2013 – 22 million user Yahoo Japan IDs breached on May 16 (note: Yahoo Japan is listed separately on the Tokyo Stock exchange and is not part of this analysis)

Zynga ($ZNGA)

  • September 12, 2019 – 218 million player records included names, emails, user IDs, hashed passwords, phone numbers, Facebook IDs, and Zynga account IDs

NASDAQ benchmark validation

We ran the same one-year overall comparison analysis that we used on the NASDAQ against the S&P 500. We did this to ensure that the NASDAQ comparison results are materially similar to other broad benchmarks. The S&P 500 is a fairly standard benchmark for overall market performance.

Here is the overall NASDAQ comparison for one year:

breach_nasdaq_1_year_all

And here it is for the S&P 500:

breach_snp_1_year_all

The curve is slightly different but overall doesn’t vary much from the NASDAQ.

Study updates

The 2018 and 2019 versions of this study are revisions of a similar study that we conducted in 2017. The 2018 modifications include:

  • Added two new companies: Under Armour (UAA) and Equifax (EFX)
  • Removed three companies that are not listed on the NYSE to get a more uniform data set: Betfair, Countrywide, and VTech
  • If a company suffered two data breaches that meet the criteria, we analyzed both instead of just the latest one (SNE, HNT, TMUS)
  • Shifted focus to 6 months instead of 1-3 years. The effect of data breaches on share price diminishes over time, so we chose to look at a shorter period of time when changes in share price are more directly attributable to data breaches.
  • Included 6 months prior to breach to compare share price fluctuations before and after breach and add context.
  • Shifted focus more on the NASDAQ performance comparison and less on share price fluctuation
  • Improved visualizations with interactive features.

In the 2018 study, we noted a slower decline in performance over time than in 2017. This is most likely to do with the introduction of new companies and breaches in the data set.

The 2019 changes include:

  • Five more breaches from four companies: Facebook ($FB), First American Financial ($FAF), Capital One ($COF), and Marriott International ($MAR)
  • Shifted the categories for “time of breach” comparison over by one year

And in 2021:

  • Seven more breaches added: Quest Diagnostics ($DGX), LabCorp ($LH), Zynga (ZNGA), Microsoft (MSFT), MGM Resorts (MGM), and Walgreens (WBA), and a second breach from Marriott ($MAR)
  • Shifted the categories for “time of breach” comparison over by one year