Repercussions Of A REIT Data Breach

Includes: ESS
by: Llenrock Group

Identity theft is an unfortunate by-product of our increasingly interconnected and digital financial world. Perhaps you’ve been a victim of identity theft yourself. I have: I once read my debit card’s billing statement and discovered a series of retail transactions in the UK–I’ve never been to the UK, nor did I have any clue what the transaction might have been. Fortunately, my bank reimbursed me for my loss, following a fraudulent-charge report, and I came out even, if a little shaken, following the event. It was no big deal.

Mass breaches of consumers’ personal and financial information are a big deal, however, since the breach is so much more widespread. Likewise, when a company (such as a retailer) sees its customers’ data compromised by malware, hackers, etc., they become financially liable to a great extent. What is more, companies that lose control of their customers’ confidential financial information are at risk of a huge public relations crisis; the companies’ security and trustworthiness as retailers is called into question, sometimes leading customers not simply to conduct their transactions in cash but take their business elsewhere.

During last year’s holiday shopping season, discount department store chain Target (NYSE: TGT) suffered a massive data breach. The full extent of this damage remains uncalculated, but some estimates place the financial toll (loss of business, compensation) above $100 million. Just last month, home improvement giant Home Depot (NYSE: HD) became the next high-profile retailer to suffer a financial loss at the hands of hackers, taking a significant dip on the stock market as a result.

Forbes’ Maggie McGrath reports,

Home Depot…the nation’s largest home improvement retailer, confirmed Monday afternoon that its payment data systems have been breached. The confirmation comes less than a week after the retailer first disclosed the possibility of a breach. In an attempt to help customers — and avoid some of the fallout that has plagued data-breach victim Target…Home Depot also said on Monday that it is offering free identity protection services to customers who may have been affected by the breach.

In confirming the data breach, Home Depot said …that brick and mortar stores in U.S. and Canada have been affected, while stores in Mexico and transactions that occurred on seem to have been spared. The company said that it is investigating transactions from April 2014 going forward — that is, transactions that have occurred in the past five months — and that while the full scope, scale and impact of the breach has yet to be determined, “there is no evidence that debit PIN numbers were compromised.”

While these data breaches are mostly a nuisance for consumers, they represent an enormous injury to Target’s and Home Depot’s brands. A brand, after all, has little value unless it is trusted by customers.

Will the breaches have ripple effects within the U.S. and Canada retail real estate sectors? Probably not; companies so large and successful are generally able to absorb the enormous financial impact without having to shutter stores. If Home Depot or Target locations are shuttered in the aftermath of these breaches, it surely isn’t only because of the companies’ systems being hacked.

Closer to the real estate sector is the recently reported data breach that has afflicted multifamily owner/operator Essex Property Trust (NYSE: ESS).’s Erika Morphy reports,

A new development for the industry is this week’s report by Essex Property Trust that its computer networks were hacked. The REIT said in a security filing that it wasn’t clear if personal financial information about its tenants was compromised.

It could be that tenants’ information is safe; however as other companies’ experiences with malware show, there is also a good chance that at least some information was compromised. It could take days or weeks before the REIT can complete the forensics to determine exactly what happened.

It may be a while before the multifamily REIT is able to calculate the full damage, if any, of this cyber attack. Naturally, landlords like Essex hold a great deal of personal data pertinent to their tenants, so this could potentially be a grave situation indeed. Still, Ms. Morphy points out in her article, the operator has one advantage over its retail peers; its brand and properties are less associated than those of retail companies.

Still, this gives the REIT sector reason to show care regarding tenants’ data in the future, particularly REITs that collect data in transactions directly with the public (rather than corporate/company tenants). For this reason, multifamily, hospitality, and self-storage operators should be particularly on guard.

Disclosure: The author has no positions in any of the stocks mentioned.