There have been a spate of cases of digital identity theft or breaches of security from UK listed companies of late. Their shares prices have all been affected to a greater or lesser extent.
On the 2nd October, Experian (EXPN) reported that 15 million US consumers who had applied for T-Mobile services had been the subject of theft of their personal information. T-Mobile is reviewing its relationship with the company, but the share price only suffered a temporary setback even though the information disclosed was quite extensive, but did not include payment or banking information. Experian do a lot of on-line credit checking, so it is of course of particular concern when the gate keepers seem to have poor security themselves.
On the 23rd October, TalkTalk Telecom Group (TALK) reported a cyber crime attack on its web site that might have caused the disclosure of personal information including banking and credit card details. The share price fell by 18% over two days perhaps because the company handled the affair in a rather ham-fisted away (such as apparently claiming it was a Digital Denial of Service – DDOS, attack which is a different kind of security breach). Their position was not helped when it was reported that the police had arrested a 15 year old boy in Ireland in connection with the event and some customers reported fraudulent payments. Although a lot of hackers are kids in bedrooms, this raised questions about the strength of the companies defences against intrusion – for example was the customer data encrypted so that even after gaining access it could not be read?
Respected IT commentator Richard Holway was quoted in the FT as saying that “TalkTalk did not have a great reputation before and they constantly came our worse than competitors in customer satisfaction surveys”. He suggested they had a serious reputational problem and that the “company might need to consider changing its name”.
On the 29th October, Optimal Payments (OPAY), reported that it had received allegations about data breaches by subsidiary or acquired companies between 2011 and 2012 (Neteller, Moneybookers/Skrill, etc.). It has commenced an investigation. The share price dropped as much as 18% on the day of the announcement, but subsequently recovered. Perhaps fortunately the company was already in the process of changing its name to “Paysafe Group“, but that might get a few laughs.
Perhaps the impact of these disclosures is not as bad on the companies concerned as might be feared because there have been numerous data breaches – the Financial Times reported the loss of 600,000 customer records in 2014 alone including a large proportion obtained from Government databases. Yes everyone is at risk, and all companies who hold personal data or credit/debit card information are vulnerable.
Some of these risks are easy for companies to guard against with technology, but others are not. A corrupt employee in a sensitive role can be a problem for even the largest company. However, it is very clear that the level of awareness, and how to combat security breaches, in many companies is dire.
Incidentally you might wonder how ShareSoc guards personal and payment information. We do not hold credit card payment or bank information from Members at all because we redirect customers to a secure Paypal web page – as experts in electronic payments we would expect them to understand what is required to keep the information secure and validate “card not present” transactions. We deter telephone credit card payments for the same reason and only one of our directors is even authorised to take such payments, which does inconvenience some Members but web payments or even cheque payments are potentially safer.
How can you as a consumer avoid the inherent risks? One way which this writer uses is to pay with a “pre-paid” credit card – I have several – which is only loaded with the amount I wish to pay, so any large or fraudulent payment is defeated. I particularly use them when I do not trust a supplier. Another way is not to have a company you are purchasing from retain your credit card information (some give you the option), or use those who are using a third party payment service like ShareSoc does rather than handling payments themselves. Lastly, pay via a credit card, not a debit card as you might have a low credit limit on a credit card, while debit cards can be used to empty your bank account, and large transactions are more likely to be queried on a credit card.
There are lots of listed companies that have an interest in personal identity checking. For example, GB Group (GBG) have been on a roll of late because of the growing demand for on-line identity verification. Intercede (IGP) is another AIM listed UK company with some great technology in this area but who seem unable to turn that into growing revenue and profits – a common failing in technology companies.
Note that this writer does hold some of the above shares simply because I consider on-line payments and identity verification to be growth markets so it’s certainly an area worth learning about. The key question investors have to ask is whether a really bad attack would cause a company to lose business in the longer term – TalkTalk certainly appears to be at risk in that regard.