Security research, news and guidance

Share prices and data breaches

May 9, 2011  |  Written by Security Ninja  |   Data Loss   |   4 Comments

Hi everyone,

I’m sure by now you are all aware of the Sony data breach so I won’t go into the details of the data breach here but I do want to look at the way security professionals have reacted to this data breach. To be specific I want to quickly discuss the use of a companies share price to try and show a financial impact related to the data breach.

I’ve seen a lot of people refer to the recent drop in the Sony share price as being an indicator of financial impact but is it really a smart thing to do? I’m not an expert in analyzing the performance of shares but I do know that basing opinions on short term performance is definitely not the best approach which brings me nicely onto the Sony share price.

There is no hiding away from the fact the Sony share price did drop after they announced their first data breach on the 26th April 2011 as you can see in the chart below:

From the closing price of $29.72 on the 26th April 2011 the share price dropped by $1.61 to a closing price of $28.11 last Friday. So the share price did drop after the data breach was announced but was this a big drop for Sony or even out of the ordinary?

Let’s take a slightly longer term look at the Sony share price over the past six months from the 10th November 2010:

The large drop in early March is partially due to (I think) the Tsunami that hit Japan on the 11th March but take a look at the graph carefully. The seven days leading before the Tsunami (3rd March – 10th March 2011) the closing price of the Sony shares dropped from $36.36 to $34.26 (down $2.10). It isn’t difficult to find other examples of the Sony share price taking a drop as big as, or bigger than the drop following the data breach announcement in the last six months. The closing price dropped by $1.79 between the 3rd and 15th February, it dropped by $2.18 between 12th and 21st January for example.

The Sony share prices could drop again today and we will be able to check this when the markets close but making statements based on short term share price changes is silly. I hope the examples above show that share prices changes like these happen quite often and it’s important to monitor the long term prices before trying to tie financial losses back to data breaches. I would argue that even then it’s difficult to do, if Sony’s next piece of technology is a hit the share price could rocket and any potential longer term impacts from a data breach won’t be visible in my opinion.

It is too early to know whether this data breach will have a long term impact on the share price of Sony so let’s take a look at two other two companies who lost a large amount of data over the past few years. I would imagine that most of my readers know the history of the TJX and Heartland Payment Systems data breaches so again I won’t go into the details here but we can take a look at their share prices.

The TJX breach was announced in March 2007 and the share price was around $28 at the time. Like Sony the share price did move up and down slightly but it wasn’t until 2008 where the price dropped by $16.82 from $36.24 in August 2008 to $19.42 in January 2009. The share price recovered very quickly and finished the year higher than the August 2008 high at $36.55. You can see in the chart below the share price has pretty much continued to rise since then finishing last week at nearly twice the pre-breach share price:

So what about Heartlands Payment Systems? The Heartlands breach was publicly announced on the 20th January 2009 and the share price closed the previous Friday at $8.54. This dropped by $4.51 to a closing price of $4.03 on the 2nd March 2009. The share price for Heartlands closed at $20.90 last Friday just over two years after the breach, five times higher than the lowest share price after the data breach:

I hope you can see from this information that using very short term share price drops as proof of a financial impact post data breach is flawed. Share prices move all the time and if you used such short term changes to invest in shares you would be called a fool.

The share price changes in the examples above are generally quite small, which could mean share price doesn’t really get impacted by security incidents at all. The examples above show that they aren’t really affected at all longer term. If you compare this to the impact on share prices in other industries after an incident the drop in share price can be more dramatic. The drop in the share price of BP after the Deepwater Horizon oil spill was dramatic, far bigger than any drops relating to security breaches I believe.

The BP share price dropped by $32.88 from $59.88 the day before the oil spill to a closing price of $27.02 two months later. The share price is recovering very slowly but still closed $15 below the pre oil spill price of $59.88 last week.

The TJX and Heartland share prices had both recovered to be higher than the pre security breach “price drop” share price within 12 and 15 months respectively.

This isn’t a scientific analysis of the financial impact of data breaches but I hope this blog post makes it clear why I think pointing at short term share price changes as evidence of financial impact is flawed.

I’d love to hear your feedback on this blog post!


This entry was posted on May 9, 2011 at 4:46 pm and is filed under Data Loss . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


  1. Pingback: Will Future Hackers Be Short-Sellers? | All Things VoIP - VoIP Phones, VoIP Products, VoIP Services, etc...

  2. Pingback: IT Business Reviews » Archive » Will Future Hackers Be Short-Sellers?

  3. Pingback: Web Application Security – Creating FUD « wh1t3rabbitfail

  4. Gary Hibberd says:

    I think this is very interesting. I’ve looked closely at the topic of ‘Business Impact’ via the BIA process in Business Continuity. Looking at share price after an event does help illustrate that their is financial losses to be felt. But it is only one indicator.

    I usually (and quickly) move onto discuss the more intangible impact upon reputation, long term. The old adage of ‘it takes a hundred years to build a reputation but only seconds to destroy it’ rings true with large scale events such as these.

    The question I often pose to Boards and CEO’s is; “What is your reputation worth to you individually and collectively as a business?” After the silence comes a dawning recognition that although their share price may improve, the personal impact upon them can stick around far longer.

    I would also like to add that the ‘to big to fail’ position left us with Enron and the big question really is – Who wants to take the risk of being the next Enron?!

    Thanks for the blog… great work.

Leave a comment


Look at our latest security Videos & SlideShares


Upcoming Security Events & Seminars


Check out our Podcasts & White Papers