06-12-14 | Blog Post
As another large U.S. retailer – this time restaurant chain P.F. Changs – suffers the impact of a data breach, results of a survey released Thursday show that consumers are firmly holding retailers responsible at a rate nearly that of the cyber criminals themselves.
According to reports, thousands of credit and debit cards used at P.F. Chang’s between March and May are now for sale on an underground store. The chain told KrebsOnSecurity.com that it has not confirmed a card breach, but it “has been in communications with law enforcement authorities and banks to investigate the source.”
More from KrebsOnSecurity.com:
It is unclear how many P.F. Chang’s locations may have been impacted. According to the company’s Wikipedia entry, as of January 2012 there were approximately 204 P.F. Chang’s restaurants in the United States, Puerto Rico, Mexico, Canada, Argentina, Chile and the Middle East. Banks contacted for this story reported cards apparently stolen from PFC locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina.
The new batch of stolen cards, dubbed “Ronald Reagan” by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty.
The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
On Thursday, global communications firm Brunswick Group released a survey titled “Main Street vs. Wall Street: Who is to Blame for Data Breaches?” Its results revealed that consumers are nearly as likely to hold retailers responsible for data breaches (61 percent) as the criminals themselves (79 percent). Only 34 percent blame the banks that issue debit and credit cards.
Also notable, 34 percent of those surveyed report they no longer shop at a specific retailer due to a past data breach issue. More from the Brunswick Group press release:
The impact of a data breach extends beyond consumer buying habits, to the retailer’s valuation. Brunswick’s analysis shows that of 13 companies that recently experienced a large data breach, each experienced a sustained drop in their average daily stock price. On average, six months after a breach, company valuation has not yet rebounded to pre-breach value.
“A data breach hits a company at the cash register, on Wall Street and at the heart of their relationship with the customer,” said Mark Seifert, Partner at Brunswick Group. “If consumers don’t feel the retailer is doing enough to protect their data, they will protect themselves by shopping elsewhere.”
That’s all part of the overall cost of a breach.
In 2013, the Ponemon Institute and Hewlett-Packard combined on a study that showed the average cost to resolve one breach costs an organization more than $1 million, while actual costs for larger organizations can reach up to $58 million.
How can an organization avoid being a victim of a data breach? Layer up on technical security tools to deter web-based attacks, for one. A web application firewall (WAF) can protect web servers and databases as it sits behind your virtual or dedicated firewall and scans all incoming traffic for any malicious attacks. The neat thing about a WAF is that it uses dynamic profiling to learn, over time, what kind of traffic is normal, and what could trigger reason for alarm.
Encryption is another best practice to securely transmit information online. Avoid interception by hackers by using an SSL certificate to encrypt data as it moves from a browser to a server containing an application or website. Pair this with the use of a VPN (Virtual Private Network) to securely access your organization’s network as well as two-factor authentication to provide an extra level of access security, and your data is safe as it travels across wireless networks.
KrebsOnSecurity: Banks: Credit Card Breach at P.F. Chang’s
Brunswick Group: Data Breach Survey: Consumers Hold Retailers Responsible, Second Only to Criminals
Data is money: Just as money belongs in a bank, data belongs in a data center
What took so long? How data breaches can go months without being detected
Data breaches ending careers “right to the top” of C-suite