P.F. Chang's Breach: 33 Locations Hit

Experts Question Why So Few Locations Affected
P.F. Chang's Breach: 33 Locations Hit

(Editor's Note: This story has been updated.)

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

Restaurant chain P.F. Chang's China Bistro announced Aug. 4 that a breach of its card processing system, originally reported June 12, may have resulted in the theft of customer payment card information at 33 of its 210 U.S. locations.

The announcement has security experts questioning why so few of the chain's locations are believed to have been affected.

"While P.F. Chang's investigation into this incident is ongoing, we've been able to determine that the security of our card processing system was compromised, and we have reason to believe the intruder may have stolen some data from certain credit and debit cards that were used during specified time frames at 33 P.F. Chang's China Bistro branded restaurant locations in the continental United States," says Rick Federico, the restaurant chain's CEO, in the Aug. 4 statement.

The 33 apparently affected locations are located in 18 states. The chain says these sites appear to have been affected by the breach for various time periods between October 2013 and June 2014.

Investigation Continues

P.F. Chang's says that other locations and time frames for compromises may be identified because the investigation is ongoing.

The potentially stolen information includes card numbers and, in some cases, also the cardholder's name and/or the card's expiration date, the restaurant chain says.

P.F. Chang's did not immediately respond to a request for additional information. Its statement does not specify how many of its customers may have been affected by the breach. "We have not determined that any specific cardholder's credit or debit card data was stolen by the intruder," Federico says.

A web page set up to offer updates about the company's breach, pfchangs.com/security/, lists the impacted restaurants and the time frames during which the potentially compromised cards were used by guests at the locations. None of the chain's Pei Wei fast-casual restaurants were affected by the breach, the company reports.

The company is offering all customers who "may potentially be affected by the security compromise" a year's worth of free identity protection service as well as theft insurance.

Questions Raised

Financial fraud expert Shirley Inscoe, an analyst at the consultancy Aite, says the varying timelines for breach activity reported for the 33 locations noted in P.F. Chang's update raise new questions.

"As I looked at the two locations impacted in North Carolina, one lasted about three-and-a-half months, while the other lasted exactly one week," Inscoe says. "It makes you wonder why the one in Charlotte shut down so quickly - what happened or changed for the breach to last only one week? I don't have any answers, but it certainly is curious."

A card fraud executive with a bank in the Midwest, who asked not to be named, says the fact that only a fraction of P.F. Chang's locations were impacted could point to a POS vulnerability. If not all of the chain's locations use the same types of devices and software, then a remote-access attack could be to blame, the executive notes.

"It makes you wonder what the common link was with those 33 stores," the executive says. "Was it the same POS software that has/had the vulnerability, or was it the same POS terminal that has/had the vulnerability?"

Recent Breaches

Security compromises linked to remote-access vulnerabilities in commonly used POS software and devices have been blamed for a number of recent breaches.

In July, the Delaware Restaurant Association warned its members of a possible card data breach that appears to be linked to LogMeIn, a remote access and systems management provider.

Just one month earlier, in June, another remote-access vulnerability apparently related to a LogMeIn breach was to blame for suspected card compromises in Vancouver, Wash. (see POS Vendor: Possible Restaurant Breach).

Andrew Komarov, a POS malware researcher and CEO of cyber-intelligence firm IntelCrawler, says P.F. Chang's 33 breached locations may very well have been struck with a similar type of attack.

"It's very possible that the bad actors [in the P.F. Chang's attack] received access to the back-office side, which allowed them to compromise other POS terminals," he says. "This is a pretty popular style of professional cyber-attack on merchants."

The restaurant chain's Aug. 4 release of a detailed update about the breach was a welcomed move, says the Midwest banking executive, who asked to remain anonymous.

"The release ... was a great move to help consumers with this event; however most FIs [financial institutions] have already blocked and reissued cards," the executive says. "I think PR releases like this one should become the norm. We have seen more companies following this pattern than in years past."

Detecting the Breach

P.F. Chang's first learned of the breach from the U.S. Secret Service on June 10 and issued a statement on June 12 (see P.F. Chang's Confirms Card Breach). On July 2, the chain issued an update on its investigation, saying the hack attack was the work of a "highly sophisticated" gang.

When the breach was first discovered, the restaurants moved to a manual processing system for all credit and debit transactions to prevent any further potential exposure of customer information. "The security compromise has been contained and we have replaced the affected hardware and returned to our standard credit and debit card processing system," P.F. Chang's says in its current FAQ.

P.F. Chang's was hit with a class action lawsuit filed June 25 (see Breach Suit Filed Against P.F. Chang's). The lawsuit makes a number of allegations about breach details in the suit. Among them is that the breach exposed some 7 million credit and debit cards and resulted from a malware attack that penetrated P.F. Chang's system because the restaurant chain was not in compliance with the Payment Card Industry Data Security Standard at the time of the alleged attack.

(Executive Editor Tracy Kitten contributed to this story.)


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network