Investors Couldn't Care Less About Data Breaches

On May 21, EBay revealed that it had suffered a cyber attack and data security breach, and users’ information—names, account passwords, e-mail addresses, physical addresses, phone numbers, and birth dates—was exposed to hackers. While security experts, the news media, and actual EBay users may have all been alarmed, the stock investors weren’t. EBay’s stock finished trading virtually unchanged that day, dropping all of 8 pennies to $51.88.

That’s been the trend among companies that have suffered cyber attacks—the stock market practically ignores them. Consider Target and its own well-publicized data breach that happened back in December. Target’s stock didn’t really move at all. Investors sent a clear message they didn’t care. The stock fell several weeks later, in January, only after the company cut its earnings forecast. Even so, the stock rebounded in the next six weeks.

Target shares have been falling since last year, for a lot of reasons unrelated to the data breach. Poonam Goyal, an analyst for Bloomberg Industries, says: “There is softness in the industry. Lower-income customers are struggling, and you’re seeing weakness with competitors like Wal-Mart and other department stores.” She also points out that Target isn’t the hot company it was a few years ago, as a lot of other companies have adjusted their tactics—focusing on price, rotating smart designers, and being a haven for treasure hunters. “Target was different before, but what about now?” In addition, its Canadian expansion “has a long, long way to go. They have issues in consumer perception there.” Goyal’s analysis suggests Target would have been under pressure—regardless of the data breach.

Compare that with T.J.Maxx, which had a data breach affecting 94 million customers in 2007. Its stock similarly dropped about 12 percent in two months, only to completely recover a couple of months later. In fact, that bottoming out turned out to be a great buying opportunity in the stock. There was no long-term damage to the company’s fortunes—in the years following, share prices surged to five times the pre-breach levels.

Another big company with a recent problem was JPMorgan Chase, which revealed in December that 465,000 customers were at risk of having their data compromised. Despite being such a large number in absolute terms, it only represented 2 percent of the 25 million who had that particular UCard product—barely enough to move the needle on the overall business or reputation of the bank. Not surprisingly, JPM stock was back to flat in two weeks.

Adobe Systems announced a data breach in October that affected 38 million users—including 3 million encrypted customer credit card records. The stock kept moving like nothing happened. It was at $52 then, and now it’s at $62. Punishment? No.

We could keep belaboring the point, with prior examples from Fidelity National Information Services and Heartland Payment Systems. Same story: breaches, quick stock drops followed by eventual recoveries.

These numbers suggest that investors just don’t care much about data breaches, while hackers are incentivized to keep trying to steal data. Maybe that’s why these events will keep happening. History repeats itself. And if you see a stock that goes down because of it, that’s always proven to be a good buying opportunity over the long haul.

    Before it's here, it's on the Bloomberg Terminal.