More U.S. retailers discover the real cost of card holder data theft: customer loyalty
As P.F. Chang's is still researching the "highly sophisticated criminal operation" that jeopardized the credit card numbers of its diners, Jimmy Johns has now entered the data breach fray. Results of a June 2014 survey show that consumers are firmly holding retailers responsible at a rate nearly that of the cyber criminals themselves.
According to reports, thousands of credit and debit cards used at P.F. Chang’s between March and May are now for sale on an underground store. The chain told KrebsOnSecurity.com that it has not confirmed a card breach, but it “has been in communications with law enforcement authorities and banks to investigate the source.”
More from KrebsOnSecurity.com:
It is unclear how many P.F. Chang’s locations may have been impacted. According to the company’s Wikipedia entry, as of January 2012 there were approximately 204 P.F. Chang’s restaurants in the United States, Puerto Rico, Mexico, Canada, Argentina, Chile and the Middle East. Banks contacted for this story reported cards apparently stolen from PFC locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina.
The new batch of stolen cards, dubbed “Ronald Reagan” by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty.
The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
On Thursday, global communications firm Brunswick Group released a survey titled “Main Street vs. Wall Street: Who is to Blame for Data Breaches?” Its results revealed that consumers are nearly as likely to hold retailers responsible for data breaches (61 percent) as the criminals themselves (79 percent). Only 34 percent blame the banks that issue debit and credit cards.
Also notable, 34 percent of those surveyed report they no longer shop at a specific retailer due to a past data breach issue. More from the Brunswick Group press release:
The impact of a data breach extends beyond consumer buying habits, to the retailer’s valuation. Brunswick’s analysis shows that of 13 companies that recently experienced a large data breach, each experienced a sustained drop in their average daily stock price. On average, six months after a breach, company valuation has not yet rebounded to pre-breach value.
“A data breach hits a company at the cash register, on Wall Street and at the heart of their relationship with the customer,” said Mark Seifert, Partner at Brunswick Group. “If consumers don’t feel the retailer is doing enough to protect their data, they will protect themselves by shopping elsewhere.”
That’s all part of the overall cost of a breach.
In 2013, the Ponemon Institute and Hewlett-Packard combined on a study that showed the average cost to resolve one breach costs an organization more than $1 million, while actual costs for larger organizations can reach up to $58 million.
In 2014, the Ponemon Institue and IBM study showed that the cost of a data breach per capita (record breached) of $159. Doesn't sound like much? Multiply that by the average number of records stolen in the U.S., or 29,087, and that comes to an average of over $4.6 million per breach.
How can an organization avoid being a victim of a data breach?
- Culture of security: A cultural shift at the executive level needs to embrace a culture of security throughout the organization from client-facing to internal departments.
- Defense-in-depth: Only a holistic, defense-in-depth approach to aligning the people, policies, and technologies towards a secure mindset will help companies get ahead of the cybercrime curve.
- Strong partnerships: Before your next cyberattack, work with your IT vendors and partners to layout a communication and response plan. Being able to network to stave off damaging denial-of-service attacks upstream while engaging other teams for recovery and forensics is critical to managing all aspects of a cyberattack.
Have other questions about the cost of a data breach? Let us know for future posts!
OTHER RESOURCES:
KrebsOnSecurity: Banks: Credit Card Breach at P.F. Chang’s
Brunswick Group: Data Breach Survey: Consumers Hold Retailers Responsible, Second Only to Criminals
P.F. Chang's: Security Compromise Update
AzCentral: P.F. Chang's updates progress in handling data breach
RELATED CONTENT:
Data is money: Just as money belongs in a bank, data belongs in a data center
What took so long? How data breaches can go months without being detected
Data breaches ending careers “right to the top” of C-suite
