[ForHackernews]

> especially considering any such exploit would most certainly hit their bottom line/stock far beyond a few 100k.

This assumption seems misplaced. Can you give an example of a security exploit seriously impacting the finances of a publicly traded company?

This is also on the front page https://news.ycombinator.com/item?id=40944505 and I really doubt AT&T stock will suffer significantly. Maybe they'll miss Q3 targets, but they'll be fine. All the execs will get their bonuses.

[hn_go_brrrrr]

Google has 12B shares outstanding. A 1 cent hit to share price is already far more than $100K.

[lrem]

Google has thousands of things going for and against it at any point in time. Unless an event is bad enough to wipe out tens of billions at once, there’s no way to quantify. And what can’t be measured can’t be a target.

[iaaan]

Solarwinds

[Topfi]

How could I forget that one. Solarwinds is an even better example than the ones I remembered (Equifax and Yahoo).

[Topfi]

I have a few examples I remembered where there was both short term impact on the stock directly after the publication of a breach and the stock remaied at a lower point across an extended period of time. I have to admit though that it is nearly impossible to attribute how much of this drop in value and the stock staying at that lower level can be directly attributed to the breach compared to other reasons, such as general performance, etc. However, on the other hand, this also does not reflect the likely high spending a company tends to do in the aftermath of such a breach on better security, PR, settling lawsuits, etc. which most certainly exceed 75k, a rounding error for business of any significant size.

Anyways, here a two examples of the top of my head:

Of course, the big one, Equifax, which had a significant drop in the week after the announcement. It took roughly two-years for the stock to trade at pre-breach levels [0], likely in part due to their less than stellar handling of the aftermath, though I'd still consider that directly linked to the breach.

More to the point, there was Yahoo, which I wanted to mention because its impact was more clearly measurable. What was weird about that one is that their case centered around a belated (by two years) announcement of a breach they faced between 2013 and 2014. That did impact their stock, but more importantly, it's the reason for a 350 million USD reduction in the acquisition price Verizon had to pay for Yahoo. Verizon agreed to cover half the cost of non-SEC government investigations and third-party lawsuits (which I feel also would fall under hitting their "bottom line"), while Yahoo covered the other half and any liability from shareholder lawsuits or SEC investigations. That 350 million USD plus fines to me is the clearest number one can put on a breach and I feel it shows that, whatever one thinks is fair compensation for reporting 0-days, 75k is far removed from that.

So yeah, there have been cases where a security exploit seriously impacted the finances of a publicly traded company and keep in mind, I only stuck with actual reductions in their stock value/acquisition price.

[0] https://www.marketwatch.com/investing/stock/efx

[1] https://www.geekwire.com/2017/verizon-pays-350m-less-yahoo-f...