| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by Topfi 710 days ago

I have a few examples I remembered where there was both short term impact on the stock directly after the publication of a breach and the stock remaied at a lower point across an extended period of time. I have to admit though that it is nearly impossible to attribute how much of this drop in value and the stock staying at that lower level can be directly attributed to the breach compared to other reasons, such as general performance, etc. However, on the other hand, this also does not reflect the likely high spending a company tends to do in the aftermath of such a breach on better security, PR, settling lawsuits, etc. which most certainly exceed 75k, a rounding error for business of any significant size.

Anyways, here a two examples of the top of my head:

Of course, the big one, Equifax, which had a significant drop in the week after the announcement. It took roughly two-years for the stock to trade at pre-breach levels [0], likely in part due to their less than stellar handling of the aftermath, though I'd still consider that directly linked to the breach.

More to the point, there was Yahoo, which I wanted to mention because its impact was more clearly measurable. What was weird about that one is that their case centered around a belated (by two years) announcement of a breach they faced between 2013 and 2014. That did impact their stock, but more importantly, it's the reason for a 350 million USD reduction in the acquisition price Verizon had to pay for Yahoo. Verizon agreed to cover half the cost of non-SEC government investigations and third-party lawsuits (which I feel also would fall under hitting their "bottom line"), while Yahoo covered the other half and any liability from shareholder lawsuits or SEC investigations. That 350 million USD plus fines to me is the clearest number one can put on a breach and I feel it shows that, whatever one thinks is fair compensation for reporting 0-days, 75k is far removed from that.

So yeah, there have been cases where a security exploit seriously impacted the finances of a publicly traded company and keep in mind, I only stuck with actual reductions in their stock value/acquisition price.

[0] https://www.marketwatch.com/investing/stock/efx

[1] https://www.geekwire.com/2017/verizon-pays-350m-less-yahoo-f...