It’s always interesting to see if a company’s stock prices take any hit from a breach. Nick Fletcher reports on The Guardian:
Leading shares are moving higher ahead of the US jobs data, with banks boosted by news of a deadline being set for consumers to claim for mis-sold payment protection insurance.
But Experian has dropped more than 4%, down 49p at £10.26, after news of a data breach in the US affecting 15m people who applied for service with T-Mobile. Analysts at Barclays said:
In the near term, the greatest hit to Experian is the damage to its reputation and its effort to establish the “Experian.com” brand in the direct to consumer credit monitoring space. Unlike [recent data breach victim] Target (a retailer), Experian’s business is that of handling data, which makes this incident particularly embarrassing.
Undoubtedly a breach of this magnitude is a major setback, especially to a company that takes data security very seriously. T-mobile is obviously reviewing its relationship with Experian. In itself the loss of one client is fairly immaterial (a few million $ in our view) but if it triggers other account reviews, it could become more significant.
In addition we would expect to hear comments from the regulator (CFPB) who could launch a review of Experian’s security policies.
What about the FTC launching a review of Experian’s security policies and data security? Both agencies have relevant authority.
But they (Barclay analysts) added:
…. Whilst unfortunate we don’t think it will trigger a mass exodus of clients, although that will depend on the robustness of Experian’s response and the steps it takes to shore up security. It will of course make Experian’s task of rehabilitating its consumer business much more difficult.
In terms of financial cost, we would expect some one-off expenses in relation to this ($10m is our initial estimate) as well as likely further incremental spend on data security going forward (which has been rising anyway). As a rule of thumb, an additional $10m on ongoing expenses is just under 1% of group pre-tax profit, other things equal. Even a Target-like result (although unlikely as no credit/ bank data was stolen, in our view) would only represent a 1% hit to market cap. The longer-term reputational damage is harder to ascertain, but we think Experian’s B2B customers will be supportive as long as Experian moves quickly to restore confidence in its data security.
In other words: it’s likely no big deal.
So to review: Experian has had over 100 data breaches since 2006 involving its credit-reporting database(s) and it’s no huge deal. It had a huge breach involving Court Ventures, a firm they acquired that was involved in a massive ID theft scheme, and still nothing. Now they have a hack affecting 15 million T-Mobile USA customers, and still, it’s not likely to make a real dent in their business and profits?
What will make a dent or difference, then? What if we had a regulator who could do what South Korean regulators did – prohibit a company from signing up any new customers for months as part of a penalty for inadequately protecting customer data? What if heads at the top actually rolled? Would either of those make a difference? What, if anything, can we actually do that might make a difference?
credit freeze.
Opt out of the 3rd party offers from all 3 credit agencies.
That eliminates some revenue and passing of generic personal info to 3rd parties looking to take advantage of people with decent credit.
I agree – a security freeze is much more effective/proactive than Experian’s “ProtectMyID” “credit monitoring.” If you’re not planning to apply for any new loans or credit accounts in the near future, a freeze is much more protective. The freeze can usually be done for free if you notify one of the major credit bureaus that you were notified that your identity information was stolen.