Stockholder Fallout Over Data Breaches

Stockholder Fallout Over Data Breaches

Target, Nieman Marcus, Living Social, Adobe, and The United States Federal Reserve are just a few of the casualties of the latest wave of data breaches. And now, eBay? How could such a beloved international company who is able to sell… well, anything, be vulnerable to a cyber attack?  How have shareholders reacted to a stock drop, since the announcement of the breach ? eBay and the others will need to pay close attention to the Target fallout.

Interim chairwoman of Target, Roxanne Austin, pleaded to the board, “Under the board’s leadership and oversight, Target took significant action to address evolving cybercrime risks before the breach.” In a letter to shareholders, the shareholder advisory group for Target, Institutional Shareholders Services was quoted, “that the majority of Target’s directors did not deserve to be re-elected because they had not provided sufficient risk oversight before the breach.” They recommended that the shareholders vote against seven of the ten board members for removal. No one is questioning whether Target spent enough money (hundreds of millions of dollars) on technology that “should have worked.” The problem lies in their solution of continued housing of sensitive data.

Target acknowledged that their FireEye software worked as designed to isolate incoming traffic and suspect activity. Too bad alerts don’t equal a security solution. Why do companies like Target still spend millions of dollars in on-premise security measures that do not reduce PCI compliance or reduce their risk of a breach? Why are they storing sensitive data when it is not necessary? I am certain that they could use the $61 million that they have spent so far recovering compromised records.

There is a litany of excuses as to why the money they spent should have been able to satiate their security needs.  Instead, we are extolled to change passwords and usernames, i.e., fixing a systemic security problem with duct tape and patchwork. Until companies are able to understand that storing sensitive data in your environment is no longer just a threat to one customer losing their information, but an entire organization’s financial future. Stockholders will not stand for lost profits and the execs in security roles are presenting themselves as sheep for slaughter without forward thinking solutions.

The problem is that the stockholders are dooming themselves to repeat historywith future data breaches. To fully exacerbate the situation, security staffs are passing off accountability to the executives, by having the executive "accept the risk" with formalized operating agreements. So, shareholders continue to hold the wrong people accountable and allow history to repeat itself. There will be a rash of firings, with lofty severance packages and no one is the wiser. 

The frustrating issue for the customer, whose personal data is now available to the cyber thieves, is that stock prices dip and then recover, often times increasing share value. Adobe was trading at $52, during the time of the breach and is now at $65. Stockholders are focused on their personal investments and not security solutions. Does that make you feel any more comfortable that they are the chief decision makers with your data security? Get breached, fire the exec, rinse and repeat. Now, is the time to take a deeper look at cloud tokenization and removing toxic data from your environment, reducing PCI compliance/scope and not be the next casualty.

Follow us at to learn about our security solutions and why we are the next generation of data security.


Topic(s): payments , data security , tokenization

Keep Up With Our PCI & Privacy Blog