Why Do Executives Hide Data Breaches?

Whenever a major company suffers a breach, an uncomfortable amount of time – weeks, sometimes months, or even a year – seems to pass until the victims are informed that their personal data might be in the hands of a group of mischief makers.

To provide some context, Uber, a company that offers an alternative to taxis around the world, has known about a breach┬ásince October 2016 that it didn’t reveal until Bloomberg reported it in November 2017! Even worse, they even paid a ransom to the hackers who attacked it, hoping that it wouldn’t make the front page of the news (a plan that apparently backfired horribly).

What’s the big deal? Why do companies like Uber, Equifax, and Yahoo hide their breaches for such a long time?

Don’t Want Their Customers to Lose Trust


This sounds kind of counter-productive, but some executives imagine that if they sweep their breaches under the rug, their customers will somehow continue to trust them. Their fingers are crossed, hoping the breach won’t be that damaging to everyone. Once the dust settles, then they could make an announcement without as much impact.

In some way, it’s kind of like a kid who gets poor grades and hesitates to show his mother his report card. She knows it has to arrive, but he is hoping she will forget, that he will get better grades in the next semester, and then he can show her the better grades next to the worse ones. “See, it’s not really that bad!” he would say.

Unfortunately, this practice is just as counter-productive as it sounds. Customers tend to feel betrayed when they find out that their personal data has run amok for months without their knowledge. This is especially true when social security numbers, credit card numbers, or other sensitive pieces of data are involved.

Don’t Want Their Stock to Drop


Going by the same logic, companies whose shares are traded on a major stock exchange might hide their data breaches for the same exact reason. The difference here is that they do not want their shareholders to be alarmed. If the breach isn’t viewed as extraordinarily harmful, their stock prices won’t plummet down to the bottom of an abyss.

Shareholders might be a bit more forgiving. For example, when Equifax announced its breach on September 7, 2017, it was trading at somewhere around $464 per share. Immediately afterward, on September 11, the share price hit $474. Equifax was unaffected. As the month progressed, it experienced a downward slope, finally trading at $434 on September 26.

Then, when the news cycle died down a bit, it never again hit that low number. By November it was trading higher than the September 11th figure, hitting a peak of $492 per share.

Additionally, Embarrassment


Imagine yourself in the position of a CEO: You’re leading a company with n-thousand employees, billions of dollars in assets, tens of millions of users/customers, the whole nine yards. Suddenly, a lazy hacker finds a vulnerability in your servers that your IT department forgot to patch months ago. It only took one college dropout in his studio apartment to bring you to your knees.

That’s quite a hit to the ego! What do you think most people with a bit of an inflated sense of self esteem would do?

Sometimes, even executives with the best sense of integrity will choose just to ride out the storm and see if it all just goes away. Then it comes to bite them, and they turn out to regret this decision, as now it’s too late. They had a responsibility and failed to muster the courage to admit they made a mistake to the very people the attack victimized.


In most of the developed world, there are cybersecurity laws in place within commerce codes that do not allow too much time to pass between the discovery of a breach and its announcement. Coverups like Uber’s in November 2017 bear heavy penalties by the United States Federal Trade Commission (FTC), to name one example.

There’s even a bill running through the U.S. Congress that will give prison sentences to executives who hide breaches for an extended and unreasonable period of time.

At this point, there’s nothing you personally can do about these breaches except be prudent with your personal data, but governments have laws in place that penalize these companies. The United States is just taking this a step further by adding jail time to the possible penalties.

It bears repeating once more that you should not put too much of your sensitive stuff on the Internet – regardless of how trustworthy the entity you’re entrusting it to is – unless you absolutely must do this.

What do you think? Should executives go to prison for hiding data breaches that affect the customers of the businesses they represent? Tell us what you think in a comment!

Miguel Leiva-Gomez Miguel Leiva-Gomez

Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.


  1. They hide data breaches because they can. There is no accountability in tech. If you can concentrate user data into select DBs instead of spreading it out over billions of devices, it’s going to see the continued support of those in power. This support has led to other niceties like surveillance OSes, data-sharing, backdoors (including hardware based like Intel’s ME)…

    Even when a major player like Yahoo illegally allows access to their data (if we can overlook their own data-breach for a moment) – all we hear is the sound of crickets. The implicit support of our government has created this. All we have left are class-action suits since data breaches should be reported in order to protect the user/consumer. Most aren’t because through the continued losses of our (online) rights, the value of the common individual has been reduced to zilch.

  2. Let’s be honest instead of self-righteous about this. I am far from excusing the behavior of such executives — or those in government who may be guilty of complicity. But the person who is a liar is certain that everyone else is not telling them the truth! In other words, we are rightly complaining of these cover-ups, yet it is common to human nature to cover our failures. We should strive, not just for bringing others to justice (if that is truly the intent behind class-action lawsuits), but to be just ourselves in all of our dealings with others. It’s just too easy to take potshots at those who are exposed publicly because they dared to raise their heads above many of the rest of us.

    1. Sometimes, and I forgot to mention this, the CEO doesn’t even know that the breach happened because IT staff didn’t inform him. Although, in that case, the person is still in a position of responsibility. Leadership requires things that the average Joe doesn’t have: Courage, responsibility, and a can-do attitude that matches competing ambitions.

      It also helps to have political connections :)))

  3. No question the threat of jail time would sharpen the focus of every CEO.
    It’s his watch, his responsibility overall.
    Probably would necessitate a clean out of under of under performing IT “security” staff.
    Of course the real freedom of IT staff to get the necessary resources, & to be rewarded appropriately would also change to at lease ensure the CEO has taken all possible steps.

Comments are closed.