Restaurant chain P.F. Chang’s Chinese Bistro is the most recent high-profile security breach, potentially impacting millions of customers.  Cyber criminals targeted P.F. Chang’s nationwide locations, breaking through their security systems as early as September 2013.  Krebs on Security reported the breach on June 10 after finding thousands of newly posted credit and debit cards for sale on an underground website.

“The fresh data stolen from P.F. Chang’s was initially sold at a premium on the dark web, with prices ranging from $18 to $140 per card based on the card issuer and type,” explains Steve Haase, INSUREtrust’s principal and recent winner of Advisen’s prestigious Cyber Liability Industry Legend Award.  “Card data has a limited shelf life, with prices falling sharply as cards are cancelled and reissued by the Payment Card Industry.”

Cyber criminals are sophisticated, organized, and calculating.  In September of 2013, cyber criminals were apparently amassing a huge database of stolen card data from numerous sources including P.F. Chang’s, Neiman Marcus, and Target.  In the highly publicized Target breach, cyber criminals sold the stolen credit card data in batches according to the cardholders region of origin, maximizing the period before the fraudulent use was detected and the card was cancelled.

P.F. Chang’s stolen card data was offered for sale on the same dark web site that sold the stolen Target data.  It appears that the cyber-criminals held the P.F. Chang’s fresh card data in inventory until all the Target card cancellations had been processed, therefore ensuring that they could sell the individual card records from the P.F. Chang’s heist at higher prices.

Cyber criminals are audacious.  In a recent Los Angeles Times article, authors Faturechi and Li commented on the flagrant advertising of cyber criminals on YouTube.  Cyber criminals post advertisements for stolen credit card packages, jazz them up with unauthorized music downloads, and then agree to allow ads to get a cut of the ad revenue.  Video advertisements for legitimate advertisers like Target are paired with advertisements for “Fullz”, the slang term for the complete package of cardholder identifying information that is required to steal an identity.  YouTube is simply unable to screen every video posted to the site, and cyber criminals are taking advantage.

Cyber crime has evolved.  With revenues approaching that of the illicit drug trade, cyber criminals are managing the acquisition and sale of merchandise like any big business focused on maximizing profit.  Reaching beyond the dark web to advertise their merchandise on main-stream sites such as YouTube allows them to reach a wider audience.   Their merchandise is credit/debit card data, intellectual property or confidential client information, and employee personally identifiable information.

Cyber criminals get access to their “merchandise” through any back door that they can find, from business associates as in the Target breach, from small merchants, from law firms large and small…

INSUREtrust.com LLC is a nationwide wholesale insurance brokerage, specializing in Cyber Liability Insurance and Cyber Risk Management since 1997.  Failure to maintain back door security may result in severe fines and penalties, data forensic expenses, and notification costs.  Risk Management along with a comprehensive Cyber Liability Insurance program mitigates these losses.