P.F. Chang's May Have Leaked Info on Thousands of Credit Cards

P.F. Chang's is investigating a possible breach involving credit and debit cards used at its locations between March and May 19 of this year
P.F. Chang's is investigating a possible breach involving credit and debit cards used at its locations between March and May 19 of this year

P.F. Chang’s China Bistro may have killer lettuce wraps, but the jury is still out on the status of its security profile: the nationwide chain is investigating a possible breach involving credit and debit cards used at its locations between March and May 19 of this year.

Brian Krebs, the security researcher that broke the Target breach story, said that on June 9, thousands of fresh, purloined credit and debit cards went up for sale in the same underground cyber-crime store that sold the millions of Target cards. The new batch is going for from $18 to $140 each, depending on type and threshold (platinum vs. standard, for instance). They’re being advertised as “100 percent valid,” meaning none of them have yet been canceled by banks.

“The new batch of stolen cards, dubbed ‘Ronald Reagan’ by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty,” Krebs noted in a blog detailing the situation.

Looking to season the stir fry of evidence, as it were, Krebs contacted several banks, which said that the cards in question had all had been used at P.F. Chang’s locations within the aforementioned time period. For its part, P.F. Chang’s said that it “has been in communications with law enforcement authorities and banks to investigate the source,” but it so far hasn’t been able to confirm a compromise.

Unfortunately, that lack of visibility is endemic, researchers said. “Once an attacker is on your network, they have plenty of time to go after customer data, intellectual property or government secrets without being detected, which is why companies are being told they have been breached versus detecting it themselves,” said Eric Chiu, president and co-founder of HyTrust, in an email. “Organizations need to shift to an 'inside-out' model of security, and assume the attacker is already on the network.”

As with other recent point-of-sale breaches, the data for sale has been lifted from the magnetic stripe on the backs of cards; the information can then be used to create counterfeit cards. However, it’s unclear what type of malware was used, the attack vector or how many of the 200+ restaurant locations around the country were impacted – if indeed it is a P.F. Chang’s-related breach.

Andrey Dulkin, senior director of cyber innovation at CyberArk, said that this will likely turn out to be an example of attackers looking for weak links among employee security practices.

“Attackers use tactics such as phishing to target, steal and exploit valid employee or partner credentials, providing access to the target company’s broader network,” he told Infosecurity. “Once the attackers gain these credentials, they’re able to elevate privileges to gain an insider foothold on the targeted network. From here, attackers are able to spiral through a network, hijacking additional accounts, elevating privileges to gain access to vast stores of information, data and control within an organization’s digital repositories. As demonstrated in other recent retail breaches, attackers then use these credentials to implant malware on PoS devices, stealing card data from a large number of terminals.”

The critical moment in any malicious operation of this nature is the point where the attacker manages to hijack the privileged credentials that enable operation in the network, he added. “As has been consistently demonstrated in numerous breaches, the transformation of malicious outsiders into de facto insiders enables an attacker to operate in the network, access sensitive assets, install malware and reach the attack goal – all by employing the same permissions and workflows that the organization established for its own, legitimate processes.”

Some say that the ongoing retail breaches show that incident prevention is no longer enough: threat detection instead is becoming critical as hackers are using the same techniques to repetitively compromise systems.

“For instance, in almost every case, there is a combination of access into the organization as well as being able to export data from the organization,” said Steve Hultquist, CIO and vice president of customer success at RedSeal Networks, in a comment to Infosecurity. “Both directions are critically important, and many organizations do not focus on both equally. Let's face it, attempting to focus on every possible path through a network is impossible for any human being.”

He added, “The only way to protect an organization from these ongoing threats is to clearly know that your network is defending your data in both directions. And the only way to do that is with systems that analyze all the possible paths and maps them to expected network security architecture.”

What’s hot on Infosecurity Magazine?