As I’m sure is the case for many people, I woke up this morning to find an alert on my phone, informing me that Marriott (MAR)’s Starwood Group had been the victim of a data breach in their reservations database. Forgive me if I sound a little world-weary, but my reaction, which I’m sure is not that uncommon even among those like me that were likely affected, was a shrug of the shoulders.
The hacking of corporate databases is not a rare occurrence. Indeed, if you talk to cybersecurity experts, most seem to say that data breaches are a matter of when, not if, for all companies.
The stock market still reacts, however, and what that reaction means for traders and investors can best be demonstrated by looking at the stock of a couple of companies involved in high-profile incidents over the last few years.
In 2013, Target (TGT) suffered such a breach. Back then, breaches still had the capacity to shock and, more importantly to the stock, companies were unsure of how best to handle them. The theft of information at Target occurred late in 2013, and it became public early in 2014. At first, the scope of the problem was unclear, and as details began to emerge over the next months or so, the stock declined sharply for a sustained period.
As you can see though, by early February, once the story was completely out, a recovery began that brought TGT back to close to its starting point. Of course, that movement wasn’t just about the data breach. Stocks in general were declining somewhat at that time as there were fears about the strength of the Q4 holiday season, and the rebound was helped by earnings that indicated that those fears were unfounded.
Even so, if you took a “this too shall pass” attitude to Target’s massive data breach, you made money.
Because it was such a household name, and because so many customers were affected, the Target breach was somewhat shocking in 2014. By the time Equifax (EFX) suffered the same fate in 2017, people were more used to data being stolen, but that event was shocking for different reasons. The credit rating company had, by the nature of their business, detailed records of the financial transactions of almost every consumer in the U.S.
The attack directly affected well over 100 million people, and (temporarily at least) damaged trust in the company.
That, and the fact that Equifax initially bungled their response, made the drop in EFX much sharper. Once again though, as you can see, the stock recovered. It has never got back to the pre-scandal high of $147, but if you bought in mid-September when I wrote this piece recommending just that, you would have made over twenty percent in a couple of weeks.
Every data breach is different. The number of people affected, the nature of the information stolen and how the company responds all affect how the stock reacts to the news, not to mention the influence of the prevailing market sentiment. They are, however, so common that consumers and the market both seem to forgive and forget quite quickly.
This August 2018 Business Insider article identified sixteen businesses in retail alone that had been attacked in the preceding twenty months. The most frightening thing in that piece though is the estimate from Shape Security that 90% of login attempts at online retail sites are by criminals using stolen data.
That is a sobering though, but it suggests that blaming and punishing the corporation, as the market still tends to do, is pointless. It may pay to wait a day or two as information comes out but on that basis, and based on the evidence of price action following other incidences of data theft, MAR is worth buying on this drop.