AT&T stock has already bounced back from much of the initial -2.6% drop this morning, so the market thinks AT&T is immune. Meanwhile Snowflake is -3.9% down (they have many other customers than AT&T).
I never got the impression that the market ever cares about data breaches. It seems most companies are rarely held financially responsible for data breaches anyway.
I would bet any effects you’re seeing in stocks is unrelated to this news.
This is precisely why breaches keep happening and will keep happening. It cost money to implement security. There's no cost benefit to spending that time and money since there are no consequences.
Businesses do not spend money unless it will make them money or save them money.
There needs to be a hefty federal fine on a per-affected-user basis for data breaches. Also a federal fine for each day a breach is unreported.
That money should go into a pool which can be accessed by people who have their identity stolen.
Or a lawsuit go through where someone can win quite a bit from from data leaks. If each person affected sued and won 100k or so, or even 1k, AT&T would definitely be spending money on security.
But it appears $5 or credit monitoring from an agency that also gets hacked is sufficient for class action lawsuits.
That requires people to be rich enough to sue. It takes a lot of money and time to sue. Almost no one has enough resources to do this. The courts are not an effective way to implement this policy. Unless you only want rich people to be able to get justice.
Class action suits regularly end up getting you "$5" worth of credit monitoring from the exact company who lost your data. It's a joke. Class action suits as they exist today in the US are an abject failure of justice.
Most companies now include clauses that force arbitration and prevent you from using a class action lawsuit. This type of sidestepping of the public justice system should be outlawed, retroactively, with retroactive lawsuits (by extending the statute of limitations), retroactive fines, and retroactive jail time.
Yes, but no amount of money will stop the data in a big database being stolen by someone sufficiently motivated to steal it. It's just bits on someone's disk.
The only true solution is to not create the database. But then what would all the data scientists and their MBA masters so with their time?
Its a interesting issue, its kinda of like software piracy, so what if someone steals the product, we will still make money on the product with the normal sale of the data in the first place. Its just making the news because it was a breach. It's not counted as a breach if the exact same party was to buy the data outright from ATT in the first place.
I don't see a reason as to recording who contacted who. If it's for billing, just record duration, if they're not an 'unlimited' customer and flags on whether it'd incur extra charges (i.e roaming, international call)
No two people are incompetent in exactly the same way. Hiring two developers to review each other's code leads to better code because they will often find problems that the other one didn't see. In a well managed organization (admittedly not a trivial caveat these days), more people working on security leads to better security.
Certainly, but for instance no sane developer should concatenate a string in a sql query unless there is absolutely certainty the string is safe. This should be reflex, not a matter of money or time.
People are alway going to make bad decisions. Sometimes that is out of a lack of experience or knowledge which can be fixed by better training (which also requires money). Other times it is out of apathy, laziness, or something else that can't be easily fixed. Either way, time and money can provide extra sets of eyes to find and fix those mistakes before they lead to a breach.
Also, our defaults are opposite of safe (most of the languages are still mutable by default, rigorous type systems wildly unpopular, there is a straightforward way to concatenate strings inside a query etc), our disaster prevention tools and practices seem most often to be targeted at symptoms instead of the causes (god forbid we rethink our collective ways and create/adopt tools that are much harder to use incorrectly), and all of this keeps happening because there is no pressure for it stop. What’s the incentive to?
I don’t think that there is a room for a meaningful and honest discussion about individuals in these circumstances.
Unfortunately, that analysis seems to have made absolutely no attempt to check whether the results are statistically significant.
Pick 118 random companies at 118 random points in time. It's vanishingly unlikely that the average returns of that group will exactly track the NASDAQ returns over the following 60 days. It might underperform, or it might overperform. An underperformance of 3.2% could easily just be the result of random chance, and have nothing to do with data breaches.
My hypothesis would be that companies with poor operational practices are more likely to underperform the index and have data breaches - in other words, that the study confuses cause and effect.
This wouldn't be that hard to test. I suspect that the breached companies underperformed in the six months before the breach as well as the six months after.
Also, events which are not "just" data-leaks but also interruptions or degradation in regular operations. I suspect investors may be more sensitive to those events and their fallout, and such events more likely to either be caused by bad-practice or to be somehow connected to data-leaks.
Well, I guess we devs should also be looking at ourselves, then. A lot of the lax security comes from us collectively choosing to build applications using cloud services that talk to each other over the public internet. That pretty much describes the so-called "modern data stack."
They would be assessed according to rules written by people who are skilled at writing such rules. The rules would be evaluated by looking at data over time and revised as needed by experts in the industry who are as neutral as possible, maybe with some feedback from the public. The courts exist for any contention regarding responsibility.
They are very much related to the news, that's precisely why I linked to the stock charts: AT&T was flat overnight but opened (9am ET) with a -2.6% spike down, but has been recovering since. Their press release appears to have been Friday 7am ET shortly before market open [https://about.att.com/story/2024/addressing-illegal-download...].
I'm not saying there's no way the stock pullback wasn't caused by the hack, but it's also important to note that MarketWatch article only establishes correlation, not causation.
Most linked financial news is auto-generated and auto-correlated. Lots of "why did.." when nobody knows, and frankly there often is no why. Perhaps that was the day a retirement fund shifted money, who knows.
While this price movement is very well correlated, perhaps causal even, but marketwatch (and all similar bottom feeders that are just trying to make ad revenue), it's a case of a broken clock being right. Those financial news sites which link recent news to stocks, eg Yahoo, benzings, - those recent news headlines are just the same as ad tech now. It is noise.
The market correctly does not care because there is no consequence for the current or prior executives and no financial consequence for the company. All they will do is send out some obligatory notices, mention it in their investor relation materials, maybe offer a year of credit score monitoring, and move on.
We need regulations with massive fines, class action lawsuits (a ban on arbitration clauses), and maybe automatic minimum level compensation to those customers.
I think they will care a lot more when it directly impacts them. If all their text conversations were publicly available that would cause some outrage.
> I never got the impression that the market ever cares about data breaches. It seems most companies are rarely held financially responsible for data breaches anyway.
This might also explain why there's little visible effect on other cloud database services either. After all, the attack is pretty simple and potentially affects any cloud database that allows access from the Internet.
I'm certainly not going to defend negligence of data protection but it's extremely difficult to cost as a liability (naively, you might even consider it not a liability at all) without government oversight.
My reading is that the market thinks Snowflake takes the majority of the blame, and the content of the linked article seemed to suggest as much despite having only AT&T in the headline.
Well it’s as if you put your data in Salesforce and Salesforce got breached… maybe you’re bad at picking vendors but the real loss of trust would be on Salesforce.
In this case, Snowflake was also the cause for the Ticketmaster and Lending Tree breaches according to the article so…
its not an expensive problem and customers aren't going to go anywhere else
class action lawsuit just going to result in everyone’s $2 being given as a free trial of a ringtone addon from the early 2000s that converts into more recurring revenue
https://www.marketwatch.com/investing/stock/T
https://www.marketwatch.com/investing/stock/SNOW