P.F. Chang's Breach Affects 33 Restaurants

PF Chang’s statement about the extent of the breach they suffered is commendableMike Lloyd, CTO, RedSeal Networks

P.F. Chang’s customers may be looking for eggrolls at the restaurant, but cybercriminals bent on instead rolling the chain’s security were able to compromise card data in 33 restaurants across the US.

“We have determined that the security of our card processing systems was compromised, and we have reason to believe that the intruder may have stolen some data from certain credit and debit cards that were used during specified time frames at 33 P.F. Chang's China Bistro branded restaurant locations in the continental United States,” said CEO Rick Federico, in a statement. “The potentially stolen credit and debit card data includes the card number and in some cases also the cardholder's name and/or the card's expiration date. However, we have not determined that any specific cardholder's credit or debit card data was stolen by the intruder.”

No Pei Wei-branded restaurants were affected by the security compromise.

On Tuesday, June 10, the United States Secret Service alerted P.F. Chang's to a possible security compromise involving credit and debit card data reportedly stolen from certain P.F. Chang's China Bistro branded restaurants located in the continental United States, taking place between March and May 19 of this year.

Brian Krebs, the security researcher that broke the Target breach story, first reported the issue in June, when thousands of fresh, purloined credit and debit cards went up for sale in the same underground cyber-crime store that sold the millions of Target cards. The new batch last month was going for from $18 to $140 each, depending on type and threshold (platinum vs. standard, for instance). They’re being advertised as “100 percent valid,” meaning none of them have yet been canceled by banks.

As with other recent point-of-sale breaches, the data for sale has been lifted from the magnetic stripe on the backs of cards; the information can then be used to create counterfeit cards. However, it’s unclear what type of malware was used. For now, the issue is contained, the chain said.

“Since being alerted to the security compromise that we believe may have affected certain domestic P.F. Chang's China Bistro restaurants, our team has worked continuously to investigate the security compromise and to ensure the security of our guests' credit and debit card information,” Federico said. “The security compromise has been contained and P.F. Chang's has been processing credit and debit card data securely at all locations since June 11, 2014.”

The fact that it took the investigation just under a month to uncover the scope of the breach is worrying to some researchers.

“PF Chang’s statement about the extent of the breach they suffered is commendable – consumers, investors and regulators demand transparency,” said Mike Lloyd, CTO at RedSeal Networks, in a comment to Infosecurity. “However, the time it took is interesting – it’s an example of the ‘fog of war’ that all organizations have to deal with today. Just as in real wars, defenders need to understand where they stand. Unfortunately, terrain mapping is quite hard in the overgrown, complex IT infrastructures we rely on. Many organizations learn this the hard way – even when informed they have been breached, they struggle to map out the extent of the attack, let alone understand how it happened, how to stop it and how to clean up. Savvy organizations map their defenses, and even test them using virtual ‘war-gaming’ well ahead of the inevitable attack.”

What’s Hot on Infosecurity Magazine?