P.F. Chang's Issues Breach Update

Restaurant Chain Phases Out Manual Card Imprinting
P.F. Chang's Issues Breach Update

Restaurant chain P.F. Chang's China Bistro has issued an update to customers concerning its data breach investigation, saying the hack attack was the work of a "highly sophisticated" gang, and that digital forensic experts continue to investigate the full extent of the breach, and put related information security improvements in place.

See Also: Data Center Security Study - The Results

"The security compromise was part of a highly sophisticated criminal operation that is being investigated by both the U.S. Secret Service and a team of third-party forensic experts," Rick Federico, CEO of P.F. Chang's, says in a July 1 statement.

But the company, which is based in Scottsdale, Ariz., stopped short of detailing who may have launched the attacks, how they gained access to P.F. Chang's systems or what type of point-of-sale malware or other attack code they may have used. "An investigation of this nature takes time, and while we would like to be in a position to provide further information, we can only share details that have been confirmed by the investigators," Federico says.

To date, it's unclear how many of the company's 210 U.S. restaurants may have been affected. But some card issuers see signs that the breach began back in September 2013, meaning it would have predated the November 2013 breach of U.S. retailer Target Corp.

P.F. Chang's also has not detailed how many payment cards may have been stolen. But Federico says the company has already been feeding information discovered by the forensic team back to credit card companies, to help identify affected cards. "The card companies can then provide this information to the issuing banks, who have the best means of directly contacting their affected credit and debit card holders," he says.

If his update offers scant additional details about the scope of the breach, it's still notable for its relative transparency. Indeed, since P.F. Chang's learned from the Secret Service on June 10 that it was the apparent victim of a hack attack, it has issued regular updates directly to its customers, starting with Federico issuing a public data breach warning just 48 hours after learning of the potential intrusion.

POS Upgrades Readied

P.F. Chang's data breach investigation has also been aimed at hardening the restaurant's POS systems against any repeat or copycat attacks. According to Federico, related POS upgrades are just about finished. "In the near future, we will complete the deployment of new hardware and begin the transition back to our standard card processing system," he says.

In the interim, P.F. Chang's has been using manual card-imprinting machines -- a.k.a. "knuckle busters" -- and dial-up card readers, which are connected to PSTN fax lines and used to process card slips.

While that process offers security -- "it is safe today for you to use your credit and debit cards in our restaurants," says Federico -- it's also slow, not automated and thus a temporary fix. Last month, the manager of one P.F. Chang's restaurant in New Jersey said the switch to manual card imprinting and carbon credit-card slips had necessitated dedicating a staff member to process all of the slips using the dial-up reader and PSTN line, and said that even with entering receipts nonstop, the restaurant couldn't keep up.

Lawsuit Targets P.F. Chang's

Despite little concrete information relating to the data breach investigation being publicly known so far, a class-action lawsuit has already been filed against P.F. Chang's, alleging the restaurant violated its obligation to protect consumer data (see Breach Suit Filed Against P.F. Chang's).

The lead plaintiff for the suit is Illinois resident John Lewert, who is being represented by Chicago-based attorney Joseph Siprut. Spirut filed a similar class-action lawsuit on behalf of 40 million consumers against Target in December 2013.

The suit against P.F. Chang's asks that damages be paid by the restaurant to the plaintiff and other members of the class for fraud losses linked to cards that were associated with the breach. The suit also asks that plaintiffs in the suit be paid punitive damages, statutory damages, and that P.F. Chang's issue individualized breach notices to all impacted consumers. Additionally, the plaintiffs have requested that P.F. Chang's provide at least three years of credit monitoring services to affected consumers as well as pay the plaintiffs' attorney and litigation fees, among other things.

But legal experts say its unlikely the suit against P.F. Chang's will bear fruit for consumers. That's because tying consumer fraud losses to a specific breach, in today's age of numerous retail breaches, is next to impossible, they say.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network