P.F. Chang's Confirms Card BreachCybercrime Forums Sell Stolen Credit and Debit Card Data
Restaurant chain P.F. Chang's China Bistro confirms it suffered a data breach that compromised credit and debit card numbers used by an unknown number of patrons.
P.F. Chang's, which is based in Scottsdale, Ariz., says it first learned from the U.S. Secret Service on June 10 that the company's systems appeared to have been compromised via a security breach. "Immediately, we initiated an investigation with the U.S. Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and have concluded that data has been compromised," says Rick Federico, CEO of P.F. Chang's, in a statement released June 12.
Federico's statement was posted to a dedicated P.F. Chang's site for communicating information about the breach. "We are coordinating with the U.S. Secret Service on an investigation to determine when the incident started and what information is involved," he says. "To assist with these efforts, P.F. Chang's retained specialized data privacy counsel and forensics experts who are actively assisting in the investigation."
P.F. Chang's is still working with payment card companies to assemble an exhaustive list of all cards that were compromised in the breach. Based on past breaches, it will also take more time for digital forensic investigators to identify exactly how the attack occurred and then lock down the company's network to prevent repeat attacks.
Until that happens, Federico says P.F. Chang's restaurants in the United States will use a "manual credit card imprinting system." A spokeswoman for the chain confirms to Information Security Media Group that its restaurants are using carbon-copy slips with manual card imprinters, and that P.F. Chang's is distributing "dial-up card readers to restaurants that will be plugged in via the PSTN fax line and used to process the slips."
Restaurants with the P.F. Chang's brand are also operated in Canada and Mexico, as well as a number of other countries, including Argentina, Bahrain, Chile, Columbia, Kuwait and Turkey. But the company said Thursday that the data breach is confined to the continental United States.
Breach Response: Rapid
The restaurant's rapid switch to a backup payment card clearing system, as well as its CEO issuing a public data breach warning just 48 hours after learning about the potential security intrusion, suggests officials are taking the breach seriously.
SANS Institute handler Richard Porter conducted first-hand research into P.F. Chang's on-the-ground breach response by eating lunch there Thursday. "I polled one of the managers if she had been briefed on the breach. She had been informed," Porter reported June 12.
"At lunch ... people were still paying with credit cards, but what returned was a pleasant and welcome surprise," he said. "The bartender placed the bill down along with a manually run credit card from one of the old school card imprinters."
For Sale: Stolen Data
The Secret Service appears to have learned about the P.F. Chang's breach - most likely after having been alerted by fraud experts at one or more payment card providers - after related data appeared for sale on June 9 on the stolen card data marketplace called Rescator. That's one of a number of sites that offer Amazon-like e-commerce functionality to buyers of stolen card data, or "dumps," which is the code contained on the magnetic stripe of a card. The information can be used to commit online fraud, as well as to create cloned credit and debit cards. Some gangs distribute cloned cards to mules located around the world, who then use the cards to attempt to withdraw as much money as possible from ATMs until before payment card providers spot the fraud and disable the card numbers.
P.F. Chang's hasn't yet disclosed how card data was compromised. Leading theories range from a network penetration attack that allowed hackers to exfiltrate information from a database, or an attack that infected point-of-sale payment terminals with malware.
Many information security experts suspect not just that POS malware was used, but that the attack was launched by the same gang that hacked Target, using a variant of the BlackPOS malware. That's because card data stolen from Target, as well as Sally Beauty, reportedly also ended up for sale on Rescator.