TalkTalk is an interesting case study for being a publicly traded company whose stock price was heavily impacted by it being hacked. It's stock (TALK.L) dropped 9% on October 21, 2015 on the day of it's attack, 22% a few days later from it's price before the hack, and is still down over 20% from it's price before the hack. This contrasts with almost all the other companies that have been hacked, which resulted in no impact on their stock price (more on that later). This begs the important question of why this was different, because we need to be watch out for that.
What is TalkTalk?
TalkTalk Telecom Group plc provides pay television, telecommunications, Internet access, and mobile network services to businesses and consumers in the United Kingdom. This "quadruple play" makes it similar to being a British equivalent of Verizon Wireless combined with Comcast's triple play package, or T-Mobile combined with the Dish Network. However, with only 4M subscribers, TalkTalk is a fraction of the size of those other companies, as Verizon has 135M subscribers and T-Mobile has 61M. Likewise, TalkTalk's market cap is $3.3B, whereas Verizon is $182B and T-Mobile is $32M. TalkTalk's competitors in the UK are BT, Sky, and Virgin Media, which are all much larger than TalkTalk with market caps of $40B, $14B, and $23B respectively (Virgin Media's price is the purchase price in 2013 when it was bought by Liberty Global).
October 21: The website is DDoS'd resulting in the website being taken down. A ransom is demanded resulting in law enforcement agencies being informed and an internal investigation begun. The stock plummets 9.5%.
October 22: TalkTalk informs customers and media of a breach and the world believes PII and credit card info for all 4M subscribers has been compromised. The site is also still down.
November 6: TalkTalk announced that only 4% of their customers (157K) had any PII stolen, of which 16K bank account numbers were stolen, but this was too little, too late.
November 11: TalkTalk releases it's earnings report, and states the hack had a "one-off financial impact estimated at £30m-£35m" ($45M-$53M).
There was no other news from or about TalkTalk at this time. There were no earnings reports, changes in analyst recommendations, or other relevant news about the company. The stock prices of other companies in the sector were stable on the day of the hack, and the beta of TALK.L is 0.38, meaning the stock's price is normally much less volatile than the market in general. This stock drop was purely due to the hack.
Breaches and stock movements
As counter-intuitive as it seems, many of the major breaches have shown us that stock prices are not affected by hacks. The Harvard Business Review had an article in March this year titled "Why Data Breaches Don’t Hurt Stock Prices" where they concluded that it's because shareholders have become numb to news of data breaches and "have neither enough information about security incidents nor sufficient tools to measure their impact".
Another article elsewhere titled "Impact on Company Stock following Data Breaches" provides a table of 12 breaches and stock price movements, with most stocks actually going up slightly on the day of the breach announcement. Clearly this is not true for TalkTalk.
Those reports mention the breaches of Target and Home Depot in 2014 where credit card info was stolen like in the TalkTalk brach and these are well-known brands (as I assume TalkTalk is in the UK), but this had no noticeable impact on their stocks.
Those hacks had some lag between the time of the breach to the actual news announcement and certainty that a breach had occurred, so we could consider Sony Pictures Entertainment's hack in late 2014, which was immediately known that something had happened, because on November 24, all computers were rendered inoperable and showed a warning from the attackers. More publicly, Sony related Twitter handles were taken over. The world knew Sony Pictures Entertainment (which makes up about 10% of Sony Corporation), had been hacked, but Sony's stock did not move. On December 8th a notice went out to all employees of Sony Pictures Entertainment that their PII had been compromised and it became known that the emails and other confidential information of the company had been leaked. The stock dropped 3% that day, but that is mostly inline with normal price fluctuations of that stock around that time period.
The stocks that dropped
Despite the many cases of stocks that didn't move on news of being hacked, there have been some that did.
Heartland Payment Systems (HPY) suffered the largest credit card breach in history, with an estimated 130M customers affected. In the middle of the day on Tuesday, January 20, 2009, Heartland Payment Systems announced they had been breached (see the story from Krebs that day here). That morning the stock had opened at $15.06, and by close it was at $14.18 (-5.8%). The next day it didn't move much (closed at $14.11), but on Thursday, Jan 22, it closed at $8.18, which is a 45.7% drop from it's open just a few days prior. It seems that on the initial news of the breach on January 20, it wasn't known how bad it really was and the news was drowned out due to that day being Inauguration Day for President Obama, but on Thursday people figured out what exactly was compromised.
Both of these businesses provide payment solutions for credit cards, and other payment types. These are where merchants (such as Target) send the credit card info when a customer (such as you) swipes their card. The processor (Heartland or Global Payment Systems) acts as a middle-man between the merchant, the merchant's bank, and the customer's bank. A merchant makes their money by selling products to consumers, but a payment processor is selling the security of the transaction, so when they can not be trusted, the core of their business is broken (explanation from mckeay.net).
Heartland and Global Payment Systems were ultimately delisted by VISA as being non-compliant with the PCI standard, which meant their customers (merchants) could be fined if they continued using them, which meant merchants would either stop using these payment solutions or pass the fines onto them.
What made TalkTalk different?
Some things I considered:
- 3 strikes: This was the 3rd time in 8 months the company had been hacked. Was the brand finally damaged enough that people lost faith in it?
- UK laws: Do UK laws have stricter punishments? Both of the previous hacks involved customer information, but made no mentioned of credit card information, so was this different because because bank information was stolen? I am not a lawyer (in the UK or elsewhere) but the most relevant legal information I could find noted that the ICO (Information Commissioner's Office), which is a government organization in the UK, has already been investigating TalkTalk over it's prior breaches. However, it can only levy fines of up to £500K ($760K), which wouldn't have much of an impact. Other laws may be more punishing.
- Business model: TalkTalk's business is based around locking people into long-term contracts, and once people sign such a contract, they tend to just stay in, so was this different because of assumptions that they might be forced to allow people to break their contracts?
- UK market sentiment regarding breaches: Are investors in the UK less accepting of breaches?
- Market confidence in TalkTalk's competiveness: TalkTalk's stock had been steadily advancing through the year until a bad quarterly update on July 22, sent the stock tumbling. It crawled along for a few months and then got hit with the attack. See the chart below.
I couldn't find a smoking gun. I think the stock drop was a combination of a few things listed above, with a general belief that the courts would decide that enough is enough and announce that TalkTalk is incapable of protecting it's customers through a class action lawsuit, fine, or mandate to allow it's customers to terminate their contracts without penalty.
I believe this perception was made worse by the bad communication from TalkTalk regarding the attack. The website was down for at least 3 days, including during the announcement of the breach, making it difficult for people to get information about what had happened or what to do. Next, a spokesperson informed The Register that as part of the DDoS, customer data may have been accessed, which caused concern that they don't understand what happened since that doesn't make sense. Finally, the CEO came out to the media and in my opinion did not inspire any confidence. See the video here where she opens with "To be honest, I've not had very many hours of sleep" and looks frazelled. In a BBC interview she tries to explain that customers should check the email headers of emails they receive to ensure they haven't been spoofed, which is too technical for the general BBC audience. Investors must have assumed the worst.