Investors can prepare for all sorts of bad news about their companies, but the kind of hack that has floored TalkTalk Telecom (LSE: TALK) will always come as a shock.
The early news suggested a “significant and sustained cyber-attack” had hit the company’s website, with some even speculating that it might have been done by a global terrorist group — but now that we know a little more, it seems it probably wasn’t as bad as originally feared.
And rather than a gang of fanatical idealogues, it might actually have been a 15 year old in Northern Ireland behind the assault. At least, that’s the age of a suspect who has been arrested and bailed pending further inquiries — and how embarrassing would that be?
Customers and investors were not impressed by TalkTalk’s bumbling attempts to find out and tell us what had happened, and the share price plummeted in the days after the news broke, dropping as low as 225p on Monday. Since then, though, as it has become apparent that the potential devastation is less than originally feared, we’ve had a small recovery to end Tuesday at 260p.
Long-term effect?
Something as calamitous as this isn’t necessarily uncontainable, but it’s certainly going to cost TalkTalk a good few potential new customers, and it will surely send a lot of existing customers rushing to the competition. How a company treats its customers in cases like this matters a lot, and as an investor I see TalkTalk’s approach as badly wanting.
In the first few days, the company did not inform all its affected customers, many of who only found out when it hit the news outlets. And it seems the company is now being obstructive when people try to leave. As of 26 October, TalkTalk was insisting on only waiving termination fees for customers wishing to leave if they actually had money stolen, and then the fees will be waived “as a gesture of goodwill, on a case-by-case basis“.
Although the firm says that credit and debit card data have not been compromised, it admits that bank details and personal information of its more than four million UK customers could have been accessed. And if a company can’t keep its customers’ important information safe, yet still insists on every penny it can from them according to the letter of their contracts — well, that seems like shabby treatment to me, and it’s sure to damage what’s left of the trust customers might still have in the company.
TalkTalk shares had already been on the slide before the attack, having fallen from a 52-week high of 415p in June, but it had seriously impressive EPS growth forecast for the next two years. That’s sure to be re-evaluated now, amid talk of compensation perhaps amounting to £1,000 per affected customer.
Investigation
Cyber-experts from BAE Systems have been called in to help, and the Culture, Media and Sport Select Committee is apparently going to be looking at the case. I expect both will be shocked to learn that TalkTalk did not keep all its customer information encrypted, and that it might only have taken a relatively unsophisticated attack to access it — especially as this is a company that had previously been targeted by cyber criminals twice in the past year.
I expect TalkTalk will survive in the longer term, but over the next few years it’s going to have to invest in beefing up its security, perhaps be hit by compensation claims, and will certainly see its customer attraction and retention prospects significantly damaged. I wouldn’t be a customer of a company that appears so poor at data security, and I certainly wouldn’t buy shares in one — especially not at P/E ratios that could exceed 20 once we get updated forecasts.
Oh, and William Hill is offering odds of 5/2 on chief executive Dido Harding needing a new job by the end of the year.
