In TalkTalk aftermath, it's time for companies to pay higher price for breaches

It's amazing that so many companies have been dragged through the headlines over breaches and used as examples of what not to do when protecting customers and clients in the digital era, and yet none have taken a hit in the stock market.


After Target's breach, its stock was fine. Home Depot's stock prices showed no noticeable impact of its big hack attack. JPMorgan Chase's investors didn't even blink when the company was revealed to be the target of the largest-ever theft of customer data from a US financial institution (and one of the biggest breaches to date).


2015's scariest data breaches: CVS, Anthem, IRS, and worse

Updated: Almost every American has been affected by at least one data breach this year.

Read More

But when UK telecom giant TalkTalk joined the breach victim club in October 2015, its stock took a jaw-dropping beating, and it hasn't recovered. The burning question of "why" has a lot of people wondering if there was something different about TalkTalk's break-in that we should all be paying attention to, or if we're now entering the era where cyberattacks can damage more than a company's reputation.

When news of TalkTalk's breach made headlines on October 22, its stock went into a spiral. In just the first few days after the attack, the publicly trade company's stock fell a stunning 22% -- and rode an average 20% drop through November, with no recovery in sight.

It was the target of a fairly standard attack routine; on or around October 21, the company's website was pummeled with a denial of service attack (DDoS), during which a SQL injection attack was made, and databases were snatched. Like other companies, this was not the first attack affecting TalkTalk; as far as we know, the company had been popped twice before within the past year because of issues at its third-party suppliers. Both times, its stock was unaffected.

TalkTalk admitted the hack to media on October 22, and its share price promptly went into free-fall. TalkTalk made an urgent statement to press, where the company mumbled that "not all of the data was encrypted" -- it was soon revealed in a Pastebin dump that this included customers' sensitive data, which suggested that passwords and other critical information may have been sitting on the databases in plaintext. In fact, TalkTalk's FAQ about the hack answers the question "Was the data encrypted?" evasively saying, "Credit and debit card details were tokenised, which is a standard higher than encryption. In all other respects we complied with any obligations to encrypt data."

Sidestepping questions about securing data under fire isn't ethical but it also isn't unique to TalkTalk; companies are wont to soften the blow of security disasters. Also not unique to TalkTalk was the size of the customer base affected. The breach that was first estimated to affect 4 million customers, but the company quickly ratcheted then umber of those directly affected back to 157,000. It was revealed that 16,000 customers saw bank account details stolen. TalkTalk admitted to press the information "accessed" by attackers were customers' names, email and mail addresses, dates of birth, account information, along with credit card and bank account details. In comparison, Target's breach affected the sensitive credit and debit card information of 40 million customers.

TalkTalk's breach also followed the modern blame-game playbook, with an "evildoer" attacker that later proved to be both a temporary distraction from accountability, and to be utterly false. One day after the news hit, on October 23 former Scotland Yard's cybercrime unit detective Adrian Culley told BBC Radio 4's Today program "It appears at face value to be Islamic cyberterrorism," and that the hack was the work of Islamist militants from "Soviet Russia". By November 15, all five arrests for the hack were UK-based teenagers.

Within the same time frame, the US recently charged three Israeli men for hacking and robbing JPMorgan Chase & Co, in what is the largest-ever theft of customer data from a U.S. financial institution (and one of the biggest breaches to date). When news of the breach first hit, it was reported that "some members of the bank's security team to tell outside consultants that they believed the hackers had been aided by the hidden hand of the Russian government" -- and attribution was firmly assigned to Russia. (A fourth culprit, an American citizen, is still at large and wanted by the FBI.) JPMorgan's stock prices never knew the difference.

It's kind of amazing that so many companies have been dragged through the headlines over breaches and used as examples of what not to do when protecting customers and clients in the digital era, and yet none of them have had what we'd expect to be the result of a reputational crisis: Virtually none have taken a hit in the stock market.

But there have been a few. Summit Route's Scott Piper reminds us that there have been instances of stocks taking a hit as the result of a company being hacked. Notably, two.

"Heartland Payment Systems (HPY) suffered the largest credit card breach in history, with an estimated 130M customers affected. In the middle of the day on Tuesday, January 20, 2009, Heartland Payment Systems announced they had been breached ... That morning the stock had opened at $15.06, and by close it was at $14.18 (-5.8%). The next day it didn't move much (closed at $14.11), but on Thursday, Jan 22, it closed at $8.18, which is a 45.7% drop from it's open just a few days prior. It seems that on the initial news of the breach on January 20, it wasn't known how bad it really was and the news was drowned out due to that day being Inauguration Day for President Obama, but on Thursday people figured out what exactly was compromised.

Global Payment Systems (GPN) suffered a breach ... on March 30, 2012, and by the end of the day the stock had dropped 9.5% from it's open."

Both companies were slammed by Visa, which may explain their stock death-spirals. Piper notes, "were ultimately delisted by VISA as being non-compliant with the PCI standard, which meant their customers (merchants) could be fined if they continued using them, which meant merchants would either stop using these payment solutions or pass the fines onto them."

Sony might have been on Piper's list of exceptions, having fallen 6.6 percent on the New York Stock Exchange after its very public breach disaster came to light last November, but Deadline reported it was "tough to find a Wall Street analyst who would attribute the fall to the computer hack." Marketwatch said that afterward, Sony's stock price rose "41% from a post-breach low of $19.73 on Dec. 16, setting fresh four-year highs."

Then again, Marketwatch also reported in April that "cyberattacks don't hurt stock prices" -- and in Talktalk's situation, this is clearly not the case.

Harvard Business Review's April article, the now-questionably titled "Why Data Breaches Don't Hurt Stock Prices," hinted at why the awareness among investors might be changing. They suggested in April that stock prices weren't getting dinged in the aftermath of all these egregious breaches because, "Shareholders still don't have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value."

While wondering the same things about TalkTalk's conspicuous stock drop as we are, Scott Piper didn't find anything he felt to be a smoking gun. Except, he conceded, the reputation hit. With its bad infosec track record, and utter failure to handle the mess in the press, Piper suggested that "investors must have assumed the worst."

All things considered, after three hacks and "thousands of cases in which customers say they have either had their bank accounts raided directly, or have lost money after being persuaded to hand over access to their home computers," TalkTalk's investors wouldn't have been wrong to do so. The competition certainly didn't appreciate TalkTalk's infosec and customer trust bungling.

Perhaps if TalkTalk's stock slam starts a trend of cyber-awareness among investors, that bucket of cold water might just be what the doctor ordered.