In 2016, it felt like there was a new company in the spotlight for a cybersecurity breach almost weekly. So how did these events, coupled with the market volatility we saw in 2016, affect stock performance for five of the larger organizations breached?
1. Verizon Enterprise Solutions (March 25, 2016)
Verizon Enterprise Solutions, a division of Verizon known for providing IT Services and data breach assistance to global businesses, including government agencies, was hacked in the winter of 2016. Through the breach, the contact information of about 1.5 million customers was stolen and listed for sale in an underground cybercrime website.
As we can see below, while this event (highlighted in red) did not have an immediate impact on the company’s stock price, its performance quickly declined in the next few weeks. Between March 25, 2016 and Verizon’s earnings release on April 21, 2016, the company’s stock price deflated by 6.59%.
Later in the year, Verizon acquired Yahoo Inc.’s core properties for $4.83 billion. A few months after the acquisition was announced, there was buzz of a large security breach at Yahoo. While the large security breach at Yahoo could create issues for both companies, it has yet to be seen how this will impact the deal if at all.
The chart below shows the price ratings for April 2016, over the course of a year. While the data breach news was released in March, there were only 3% of analysts that gave a “Sell” recommendation from March to May of 2016, even though the price continuously dropped over the three month period. Overall, analyst recommendations stood steady at a Hold or Buy, despite data breach news that may have put Verizon in a poor spotlight and negatively impacted the stock price.
2. Wendy’s (May 11, 2016)
Over the course of about six months in 2016, Wendy’s was the victim of an ongoing malicious cyber activity. On May 11, 2016, Wendy’s reported that it was in the late stages of investigation into unusual card activity at some restaurant locations. The company believed that malware has affected fewer than 300 of its roughly 5,500 franchised restaurants.
Again, while there was not an immediate effect on performance, there was a longer-term decline in performance over the next month. On June 9, 2016, Wendy’s released an update indicating that an additional 50 restaurants had been affected by the security breach. Following the announcement, there was an immediate reaction from the market, which resulted in the restaurant’s lowest stock price since February 2016. The last update from Wendy’s on July 7, 2016, provided closing and clarifying remarks for any affected clients.
Between the first press release on May 11, 2016 to the last remarks in July, Wendy’s stock price took a -6.28% hit. While the price performance appears to correlate with the security breach over those three months, Wendy’s stock price ultimately rebounded to close out the year. Wendy’s 2016 performance was positive 26.71%, more than double the S&P 500, which increased about 11.24% in 2016.
In the case of both Wendy’s and Verizon, it seems investors did not immediately react to the markets, but ultimately, the security breach affected earnings leading to a bigger toll on stock performance.
3. LinkedIn (May 17, 2016)
LinkedIn was subject to one of the largest security breach on record 2012, when a hacker stole 6.5 million encrypted passwords from the site and posted them to a crime forum on the underground web. However, the attack did not significantly decrease LinkedIn’s stock performance.
In May of 2016, the company found itself in a similar situation, after a Russian hacker was caught selling 117 million of the email and password combinations stolen from the social media website. LinkedIn’s response was to ask users to change their passwords, and the news seemed to blow over.
There was no direct effect on the stock’s performance from the May incident either, which is curious compared to the other incidents in 2016.
That being said, after 2015’s year-end report, there was a 43% decline in price performance, starting off the year at a very low stock price for LinkedIn. Historically, the stock price stayed within the $150 to $200 range, but with the plummet at the beginning of 2016, the stock price was just about $100.
Starting the year out this way, would it have been possible for the market to react even more poorly to LinkedIn’s security breach in May? The security breach news came out at nearly the same time as Microsoft’s announcement that it would be acquiring LinkedIn in June 2016, which sparked an almost 50% price performance increase. From February 2016 to July 2016, performance had recovered and was up much closer to the original price at the end of 2015. In this case, it seems like the security breach virtually had no effect on the stock’s performance, as it was clouded by more ground breaking new
4. Oracle (August 12, 2016)
On August 12, 2016, Oracle reported that it had suffered a security breach via its MICROS payment terminals. The malicious software stole hundreds of client login credentials and many believed that the MICROS system composite was an explanation for why so many shops, hotels and retailers were experiencing security breaches at their point-of-sale systems.
Oracle had acquired the MICROS point-of-sale technology in 2014 for $5.3 billion, and it is used by major hotel chains like Hyatt, Marriot, and Hilton, as well as in the food and beverage Industry at large chains like Starbucks and Burger King. According to a presentation from Oracle in 2014, the system was used by 330,000 sites across 180 countries.
Similar to the Verizon and Wendy’s breaches, there was not a direct impact on the price at first; however, longer term there was a decline in performance. The larger decline was in large part due to the earnings report in September, but earlier that month, there was about a 3% decline in price performance. It’s hard to say if the security breach was the cause of either dips in performance.
Looking quarter over quarter in FY2016, Oracle historically released positive surprise on its earnings announcements, although this lead to a negative price impact in the end. However, in August 2016, when the data breach was announced, there was a negative earnings surprise of an outstanding 5%, which negatively impacted the security’s price by almost the same percentage.
By the beginning of the next fiscal year, the security’s price was still negatively impacted by earnings surprise releases. While analysts are predicting earnings to rise with Oracle’s earnings release in February 2017, they have consistently revised their estimates to be lower month over month for the past year. When Oracle released guidance in December 2016, this only increased the number of down revisions for February 2017’s Q3 Earnings estimates. The biggest increase in downward estimates was from August 2016 to September 2016, when 21 estimates were decreased. This is the same time that the data breach news was released at Oracle.
5. Yahoo! (December 14, 2016)
Less than three months after announcing a 2014 data breach that affected 500 million users, Yahoo! had reported yet another hack, this one even bigger than the last. In December 2016, Yahoo! discovered another breach may have compromised the personal information of as many as one billion Yahoo! accounts, including sensitive data like names, telephone numbers, dates of birth, and encrypted passwords.
Together, these two security breaches were the largest experienced by a single company and appear to have correlated with a drop in the company’s stock performance.
The first breach in September resulted in a 4% price drop in the four days following the press release. However, in December’s subsequent security breach, the price of Yahoo! decreased by over 7% in just two days, following the press release.
Since then, the stock price of Yahoo! has slowly climb back to the prices seen before the second security breach, but it has not recovered yet. Yahoo! is scheduled to report its 2016 year-end earnings on January 31, 2017.
Yahoo! is a unique case because unlike many of the other companies with data breaches in 2016, its were the two largest in history, and the company doesn’t have other streams of revenue to fall back on if a news event like a data breach were to compromise its business. In fact, 100% of Yahoo!’s revenue comes from the Technology industry, specifically Web Portal Sites and Software. Yahoo! has over 17% of the market share, but its biggest competitors make up 95% of the industry. Something as serious as the world’s largest data security breach could have serious effects on consumer sentiment and cause consumers to move to competitors.
Although there was an abundance of security breaches and hacks in 2016, there doesn’t seem to be a great pattern on affecting performance in the short term. In some cases, it was clear that it took the market a few weeks to react to the news of a security breach, but eventually there was a large decline in performance. In other cases, the security breach news was over shadowed by other developments, making it difficult to correlate security incidents with performance in a meaningful way.
It could be argued that no press is bad press; however, in the case of the “largest known security breaches of one company’s computer network” at Yahoo!, it is safe to say a large scale security breach or hack has a significantly negative affect on performance.