The $5bn hack

Just before I give a client talk, I always check the news in case there has been a breach that I could get asked about. Two weeks ago today, I was sitting in the audience at a conference having a quick scan of my phone before going on stage for my slot. I saw news of the 143 million customer records compromised in the Equifax hack. I then googled the Equifax share price. The markets hadn’t yet opened in the US but the shares had dropped a fair amount in overnight trading. I got up the calculator app on my phone and did a quick sum - $2.3 billion. Out of hours trading is notoriously volatile and I had no idea whether the shares would bounce straight back but I had the attention grabbing fact for my introduction.

I just rechecked the price and got out my calculator again. The share price is now down $5.4 billion – more than 30%. I’m not going to try to predict what happens next, and you can find people who will tell you that the share price is going to go up or down from here. But whatever happens, $5 billion is real money. There is plenty of comment available about what Equifax have done right and wrong which I won’t repeat. But I did want to consider how the share price impact can be so big, especially since the share price impacts of a previous generation of breaches have been limited. Research published earlier this year showed that the share price impact of disclosing a hack had risen from 0.2% in 2013 to 2.7% in 2016. But 30%?

It appears to me that there are two factors here. The first is the type of company. Equifax is in the consumer data business and the scale of the attack raises questions about the seriousness with which they have been taking their responsibilities to protect that data. And secondly, the announcement and subsequent response has failed to reassure customers or investors. Many companies that suffer breaches are thrown into the spotlight in a hurry. Demonstrating that you understand the damage caused to others, focusing on rectifying that damage and showing credible commitment to prevent a reoccurrence can substantially mitigate the financial impact. Equifax took at least four months to announce the breach but does not seem to have spent that time preparing a credible response. And now they have lost control of events and a fair chunk of their credibility as an organisation. And finally, I wonder also whether we have moved in the last couple of years from a world in which a major business getting surprised by a hack was disappointing but understandable to one in which it is simply no longer acceptable.