Hacker News new | past | comments | ask | show | jobs | submit login
Why Data Breaches Don’t Hurt Stock Prices (2015) (hbr.org)
69 points by wglb on Sept 16, 2022 | hide | past | favorite | 25 comments



It isn't so much data breaches but scandals, down times, lost business that are impactful it seems. Stock price maybe good but revenue and future deals might be affected.

Honestly, I don't get how some groups get domain admin on some bigcorp and don't manage to make tens of millions of dollars.


The ones who are making real money you don't hear about because they're not gonna brag about their breach and cut off their access.


Bingo! The best criminals are the ones you never heard of, like Ralph84 =P


They do make tens of millions of dollars.

1. Most of the major criminal groups have turned their eyes toward crypto. It’s more lucrative than ransomware. See sources below for the huge lists of hacks and scams.

2. Not every group is in it for money. The major nation state attackers (besides North Korea) are in your system for information.

3. When you haven’t stolen money or a money equivalent, it can be extremely hard to fence the assets you’ve stolen.

SOURCES:

- https://blockworks.co/the-nine-largest-crypto-hacks-in-2022/

- https://web3isgoinggreat.com/?id=day-of-defeat-project-rug-p...


Yes, #1 or #2 are a given/implied but many ransomware operators don't make that much money when they don't get paid and even their ransom isn't usually $1M+.

You can use information to make money, ever heard of insider trading and extortion? Or straight up get on the treasury guy's pc and make payment transfers and approve purchasing orders to yourself. With operations like that, once they get it in a bank account they own, they pay mules to get it in cash in small chunks before the swift gets reversed, hopefully having multiple banks in the process will give them a week or more.


Short-selling would seem like a better way to make money from a breach: almost untraceable. Of course, if stock prices don't react to breaches, short-selling would not be profitable either.


What is cheaper? Investing into proper security for years and years without seeing anything or paying fines to regulators once you got breached?

My guess it's the latter :/


I think this is a meme, the idea that someone is always going to decide to pay X million in fines instead of paying for security.

The problem, surely, is that there is no "right answer" to what you need for security, no 100%, things that were worth it last year are no longer effective and on top of all of that, you have human beings working for you who make mistakes?

There is also the very real issue, hardly talked about, about rolling security into legacy applications/infrastructure. People talk like someone can just click their fingers and get 2FA/Webauthn/FIDO/Yubikey when most applications probably haven't been updated since 5 years ago and cost $1M per release in risk. Not saying it's good but that's how it is.


The problem is that they do not take any responsibility for the negligence and breach of contract - they were obligated to keep my data secure, they didn't, I might get defrauded now and they will never compensate me or anyone else.


> might get defrauded now and they will never compensate me or anyone else

If you're defrauded because of a leak, you have a claim for compensation. The problem is we have scant evidence these leaks cause consumer damages. There is the attribution problem–tying an instance of fraud to a particular breach is hard. But it's not so hard that we'd expect to see virtually zero cases.

What's more likely is having a list of credit card or even social security numbers is less useful than it might seem. To the degree fraud exists, consumers are largely indemnified, e.g. by card issuers.


I think you are, to some extent, making the cost look smaller than it is. Lets assume that someone gets enough of your info to take a loan out in your name. You can _probably_ (but not definitely) get that loan invalidated. However, to get back where you started, you may need to

- Convince the loaner that it was not you, which could cost many hours on the phone

- Get the credit impacts removed from your credit report, which could take many hours on the phone and web sites

- Retain a lawyer for dealing with the loaner

- Pay for any externalities in the process (mailing things registered, etc)

The above things can add up to days or even weeks of real, physical time; time which should be valued at no less than whatever you actually earn per hour. Plus the money for the lawyer.

And then, on top of that, it's widely considered that going through that process, where nearly everyone involved is incentivized to treat you as a lying thief and/or ignore you, can be fairly traumatic.

The cost is tremendous, and the emotional impacts can last for a long time.


this happened to my friend, someone took out a loan in his name, there were databreaches at over 4 companies with his data. good luck provi g which one is to blame


Isn't security pretty cheap if you want to have it from the start? Albeit you cannot include other companies code and APIs to add features really fast, long term the maintenance cost should be comparable.


Not really, security makes everything harder. I have worked on classified projects which I think are a good benchmark for continuous security and it is definitely expensive, and it was on the lowest levels of classification.

Costs come from everywhere, from the time it takes to transfer a simple file when USB ports are blocked and internet access is very limited. Regular audits, limited privileges and you can only run approved programs, maintaining software up to date but you have to actually look at the change logs (no automatic updates), physical security (alarms, safes, access control, etc...). Also, you can't work from home.

Your company may do security differently but there is always a cost. You may not notice a big "security" line in the budget but that's because the costs are everywhere, because everything can be a target. And unlike correctness, security is a moving target. For example, if the code you wrote for a specific task does the task correctly, as long as the task doesn't change, it will work forever (hence: "if it ain't broke, don't fix it"). But thing that were once secure may stop being secure as new attacks are found, even if nothing changes on your side.


Its cheap if you build it in from the ground up, and a well thought out security program shouldn't impact development velocity at all.

Retrofitting security later tends to be painful, expensive, and cause conflict.

In software companies security teams should enable the developers as opposed to being a hinderance.

Secure code is code that tends to be better written, better documented, more performant, and pass tests. All of which are good things.

I'm always amazed at how many YC/VC backed software startups seem to have no place in their team or board for security, which makes it a massive cost center later on when they try retrofit it.


> Isn't security pretty cheap if you want to have it from the start

Without trying to sound condescending (because it really is a complicated topic), this seems like a viewpoint that could _only_ be held by someone who has never had to actually deal with it.

> Albeit you cannot include other companies code and APIs

That, alone, is a huge commitment.


The goalposts move. Up front requirements are cheaper to build.


Which is why we need to increase liability for these corporations. Make it expensive for them to not care. Security breaches are often caused by gross negligence.


So many thing missing in this article.

Stock prices reflect the shareholders trust in the company. So the real question should be: why would a shareholder stop trusting a company after a cyberattack?

As the author clearly mentioned, it is considered nowadays as a systemic risk. The more mature companies even have budgets and provisions for a cyber incident, notwithstanding cyber-insurances.

Another reason why shareholders would not worry is that a cyberattack of large magnitude in a very large company brings a lot of benefits if you look at the balance sheet: the company indeed spends a lot of money, but look how/where. We can see that compromised large companies spend money in cybersecurity consulting services and cybersecurity acquisitions (licenses, hiring new people). It all adds up to increasing the actual value of the company in the eye of the shareholders: people gained new knowledge, it hired new capable employees, and it has augmented its assets. The only sunk cost is the potential fines.

As cyberattacks on a large company increases the value of the company. We can easily understand why shareholders are attracted to those.

Now the final question is: in which cases should shareholders walk away from a compromised company?

I would speculate on two hypotheses.

First, I think shareholders don't like the idea of a company getting compromised a second time within a short timeframe. That would actually be symptomatic of bad management.

Second I think that cashflow plays a major role: are the company's reserves large enough to withstand the costs of a cyberattack (and a potential fine in the EU, if there is personal data involved) or will it require borrowing lots of money? If yes, then shareholders should simply buy.

Assuming my hypotheses have some value, we could say that stock prices will be more affected negatively when shareholders don't trust the company to do what it takes to deal with the cyberattack.

To be honest I'm a bit frustrated that this article could be published on HBR. The analysis is too simplistic in my opinion, the author could have done more research.


That's why I think long-term, ransomeware attacks could actually be a good thing for online security.

Companies have to pay an attacker real money to get their operations back up, instead of just having to send some bs "mea culpa" email to their customers.


One might think, but the list of companies that have been ransomware-attacked twice or more is far from zero.



My cynical explanation: fund managers know that companies don't make money on smart people who care. There are few of them and they are too smart (and usually too poor too) to profit off anyway, not worthy of worrying. Profits are made of dumbasses, they don't care about data leaks anyway.


Because most people don't care about it and forget about it in the long term?


All eyes on NYSE: UBER now




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: