P.F. Chang’s Confirms Data Breach, Credit Cards Stolen
National restaurant chain P.F. Chang’s China Bistro confirmed a data breach that stole customers credit card data in a recent press report released Thursday afternoon. P.F. Chang’s had few additional statements regarding the breach, other than noting that all stores in the United States will be switching to a manual credit card imprinting system, for customers to continue paying with credit cards securely.
A statement released by the company said it first learned about the breach on June 10, the same day P.F. Chang’s went public about credit cards begin breached. P.F. Chang’s released the following statement in regards to the breach:
On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.
At P.F. Chang’s, the safety and security of our guests’ payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.
We have also established a dedicated public website, pfchangs.com/security, for guests to receive updates and answers to their questions.
Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company.
We sincerely regret the inconvenience and concern this may cause for our guests.
The credit card data that was breached was put up for sale online on June 9. Security researchers Brian Krebs found P.F. Chang’s credit and debit card data to be up for sale on rescator[dot]so. Rescator is an underground market known for selling tens of millions of stolen credit cards online, the service is well known for housing credit cards found in the Target breach.
While it is unclear how many credit cards have been breached, P.F. Chang’s restaurant holds over 204 locations worldwide. KrebsOnSecurity contacted various banks to find details on the breach and was told that card data from P.F. Chang’s locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina had been stolen.
The batch of stolen cards is dubbed, “Ronald Reagan”, by the card shop owner, this is the first major card dump on sale since March 2014, when the seller sold some 282,000 cards stolen from beauty store chain, Sally Beauty.
The stolen P.F. Chang’s data is not credit card numbers, but instead, data copied from the magnetic strip found on the back of cards. Cyber criminals could re-encode data onto new plastic cards as malicious RFID scanners can. With such data thieves could buy high-priced items from various retailers and in turn sell the items for cash.
The way criminals steal magnetic strip data is by hacking into the point-of-sale at retail locations and implementing malicious software to record magnetic strip data, this means as cards are swiped the data is recorded and stolen. Some of the largest data breaches were malware implanted in the point-of-sale systems.
While the Rescator seller is not listing how many cards the dump contains, individual card prices are ranging from $18 to $140. Card prices range on the fact of if it is Visa or American Express, etc or if the cards are platinum or businesses, meaning some have a higher spending limits.
While the breach is new, the Ronald Regan batch is begin sold as “100 percent valid,” meaning cyber criminals can expect all purchased cards to work as banks have not reissued or canceled the cards.
