Evaluating The Financial Impact of Data Breaches Involving Account Credentials

Authentication mechanisms are widely adopted by organizations as a means of securing and controlling access to information systems and their accompanying information. While account credentials in the form of text-based passwords have been employed as an authentication mechanism since the 1970s, some security experts have argued the password’s ineffectiveness. Passwords can either be the cause of a data breach or information that is compromised during a data breach. Our investigation examines the difference in annual firm profit, annual sales, and annual operating expenses between firms that experience an account credential data breach and firms that experience a non-account credential data breach. To conduct our investigation, we use data breach incident information from the Privacy Rights Clearinghouse website and financial data from the Standard & Poor’s Compustat database. In our panel dataset, we identify 89 data breach incidents that involved account credentials out of our total sample of 937 incidents from years 2005-2019. Overall, our results indicate that firms that experience an account credential data breach have lower annual profit and lower annual sales compared to firms that experience a non-account credential data breach. However, we do not find a statistically significant difference in average operating expenses. Our findings suggest that it would be worthwhile to focus information security efforts on improving identity and access management practices since incidents that involve account credentials may lead to more negative financial consequences.

Scott Chu
Conference Paper
Saturday, September 18, 2021