Trendlines: Who Leaked My Data This Time?

Data breaches occur so often they don’t seem shocking anymore. Whether it’s a major headline, or an apology email from an affected company in your inbox, cyber attacks are commonplace. This month we take a deeper look at some of the biggest data breaches in the US over the last several years. 

We first asked ourselves, how do these incidents affect the cybersecurity ecosystem? Surely a widely publicized attack may prompt investors to reevaluate their cybersecurity holdings. But would the market view these breaches as further highlighting the importance of these companies’ offerings, with these stocks surging as a result? Or would these stocks fall due to perceived failure in protecting the target companies?

We mapped out major breaches against an index of cybersecurity stocks:

Cybersecurity companies actually seemed to stay above the fray, with little to no negative impact on cybersecurity stocks following these incidents. These data breaches would seem to reinforce the broader need and continued high demand for cybersecurity solutions. This was especially true during the pandemic when there was a significant surge in breach activity – 7 breaches noted above over a 9-month period beginning December 2020. During that time, cybersecurity stocks shot up exponentially only to cool off when breaches finally abated.

It’s worth noting that in all these cases, no cybersecurity vendor was implicated and at fault. Rather the blame often fell on the target companies’ own poor internal security practices or glaring oversight in addressing some of their IT vulnerabilities.

Next, we looked at the target companies and how investors reacted to each attack.

While most companies suffered minor stock price hits and recovered within a few days or months, two targets stand out: Equifax and SolarWinds. While the other breaches could charitably be viewed as operational / back-office oversights, these two incidents arguably exposed each company’s core value propositions as fundamentally unsafe. One of Equifax’s main business models was based on consumers providing their personal data to get their credit scores; the data breach essentially put an end to that line of business. SolarWinds, an IT monitoring software provider, ended up infecting many of the networks they were trusted with monitoring for their customers.

Only one company so far seems to have been brought to its knees by their data breach: National Public Data was a one-man operation data broker that handled millions of personal records. The company was forced to file for bankruptcy after receiving more than a dozen class-action lawsuits once the breach was revealed. 

Finally, we analyzed how the breached companies responded to each attack. While there is no standard playbook, there are a number of common steps that targeted companies opt for:

Quite a few things jumped out at us:

• One-third of these companies thought waiting was the best strategy – anywhere from a week to over 2 months between discovery of an issue and public disclosure
• Half of these incidents were first reported on by a third party, rather than by the target company, forcing a scramble to publicly respond
• Massive data scrapes got a “not our fault, change your settings” response from Facebook and LinkedIn
• Equifax’s executive team were the only ones who lost their jobs as a result – but in a wild coincidence, SolarWinds announced a CEO change just days before their breach was discovered
• The biggest winner for third-party investigators was Mandiant, which was utilized in six of the incidents we studied

Data breaches will be around forever and personal information will continue to be at risk. In the major incidents we looked at, other than with Equifax, no one lost their job. Whether this is a lack of accountability or the ability to continue on as if nothing ever happened, it makes it clear to the average citizen that it is effectively the cost of doing business online. Don’t like it? Go wait in line at the bank.

Here at Bowen, we hope to play a small part in the ongoing battle for data protection with our cybersecurity practice, advising innovative companies fighting the good fight against online security threats.

This article appeared in our October 2024 issue of From the Front Lines, Bowen’s roundup of news and trends that educate, inspire and entertain us. Click here to subscribe.