If an organization gets breached, its stock will take a nosedive.
This is a canon that has been ingrained into the minds of business leaders and the public for years, and has been an effective way for security teams to grab the attention of the C-suite.
However, the actual stock values of companies suffering high-profile data breaches versus their S&P 500 predictions are calling the truth of this tenet into question, especially when it comes to Target Corp., The Home Depot Inc. and Sony Pictures Entertainment.
Gunnar Peterson, analyst with Phoenix-based research firm Securosis LLC, published a blog post Wednesday revealing that since the day that their respective data breach incidents were first publically known, these companies' stock values have actually "substantially outperformed" the S&P 500.
For example, Sony Corp.'s stock growth from Nov. 24, 2014, through Tuesday exceeded its S&P 500 by more than 26% (28.3% vs. 2.2%). The trend continued with Home Depot from Sept. 9 (31.3% vs. 6.4%) and Target from Dec. 19, 2013 (23.8% vs. 16.9%).
It raises the question: If a company is breached, does it mean its stock value will soar? And if so, why?
While stock values are helpful numbers, Peterson said it is important to note that they are merely a "sum of all the guesses" and can vary depending on the optimism or pessimism of a day. Disentangling stock values from the performance of the underlying business, Peterson said, is where the truth lies.
To see the full story of a company's post-breach health, Peterson recommends looking at the organization's income statements, balance sheets and cash flows.
In 2013 Peterson wrote an in-depth six-part series on the effects of the Heartland Payment Systems Inc. breach, outlining the income statements, balance sheets and cash flows of the company in the years following the breach. Heartland's operating margins dipped directly after the event, Peterson found, but recovered and grew beyond its pre-breach levels less than three years later. And, like the other breached organizations, Heartland's performance has beat the S&P by 87.4 since its breach in January 2009.
What makes breached companies fare so well, then? Is this a coincidence? Did they all do something right?
The important takeaway, Peterson said, is that companies can bounce back from a breach; they're a lot more resilient than people give them credit for.
"They didn't just fold their tent and go home," Peterson said. Rather, the companies endured the hit, learned from the mistakes, adapted, invested more money in security and emerged -- seemingly in all cases -- better than ever.
"I've always heard that security and 'the business' are at odds with each other," Peterson said. "But that doesn't really seem to be the case here. These companies get breached, spend money to upgrade their systems, and boom! They thrive. These companies are doing so perhaps because they invested in better security and reliability."
It turns out to be true in the case of retail breaches, such as Target and Home Depot, but what about the non-retail sector? Will health insurer Anthem, which confirmed earlier this month it was breached and announced Tuesday that up to nearly 19 million additional non-Anthem members may be affected, follow the same fate?
Anthem could be put in the same boat as Apple, Peterson said, which experienced the iCloud hack last September. Since Sept. 2, 2014, the company's stock has exceeded the S&P 500 by 22% (28% vs. 6%). If -- like Apple and other breached companies -- Anthem invests more time and resources to protect its customers, Peterson suggests, it should be fairly confident that the breach will not run them out of business.
So will a breach always yield positive results? Of course not.
"I don't think this is a law of nature or anything," Peterson said. "There easily could be breaches down the road of a different nature where the impact could be much more far-reaching." This will likely occur, Peterson believes, when intellectual property -- rather than credit card data -- is involved.
For the time being, Peterson is happy with the fact that two age-old myths are being dispelled: First, that data breaches won't always result in a dip in stock price, and second, that security and the business can't coexist.
"This dichotomy that we've always created that security is somehow anti-business or vice versa isn't true," Peterson said. "These companies have spent money [on security] and it hasn't ground their business to a halt."
In other news
- More than 14 months after the massive Target breach that affected 70 million customers, the company released its full-year 2014 and fourth-quarter 2014 reports, revealing that while its stock may be rising, it is still incurring costs related to its breach. The release stated Target incurred breach-related gross expenses totaling $191 million, $35 million of which was covered by insurance. A total of $4 million was incurred in Q4 2014. These numbers align with predictions the company made in August 2014.
- Gemalto NV published a press release Wednesday confirming it has conducted a "thorough investigation" into the allegations that its SIM card encryption keys were hacked by the GCHQ and NSA. Reports received by The Intercept from former NSA contractor Edward Snowden purported that U.K. and U.S. spy agencies hacked into Gemalto's networks in 2010, and the company's investigation backs up the findings. Gemalto confirmed in the press release that it detected "particularly sophisticated intrusions" in 2010 and 2011 that could be those alleged by Snowden. Gemalto also stated the attacks only breached its office networks and "could not have resulted in a massive theft of SIM encryption keys." The investigation also found that only 2G mobile networks could be spied upon – not 3G or 4G networks. Additionally, due to the widely deployed secure transfer system Gemalto deployed in 2010, only "rare exceptions" could have led to the theft of encryption keys during an exchange.
- Less than a week after news broke that the Superfish malware that came preinstalled on consumer Lenovo devices made users vulnerable to man-in-the-middle attacks, it appears the problem is more widespread than initially reported, despite the declaration from Superfish CEO Adi Pinhas that the software poses no threat to its users. In an Electronic Frontier Foundation blog post published Wednesday, researchers wrote that the software library Superfish uses to intercept traffic, which was developed by a company called Komodia, has been located in more than a dozen additional apps, putting a variety of non-Lenovo devices at risk. EFF researchers found evidence of the attacks in the wild on sites including Gmail, Bing, eBay and Netflix, among others. The EFF also wrote that another piece of software called PrivDog is vulnerable to the same issue. Security researcher Filippo Valsorda created a webpage to help users test if their systems are vulnerable to Superfish, Komodia and PrivDog.
Check out SearchSecurity's latest data security breach news and advice.