P.F. Chang's Breach: Predates Target?Alerts to Issuers Suggest September 2013 Compromise
A handful of U.S. card issuers on June 18 confirmed Visa had issued alerts that suggested fallout from the P.F. Chang's China Bistro breach could be more far-reaching than initially suspected (see P.F. Chang's Confirms Card Breach).
Now it's believed the P.F. Chang's breach goes back to September 2013, predating the breach that impacted big-box retailer Target Corp. in November and coming on the heels of the breach that compromised Neiman Marcus in July.
But card issuers say they have yet to detect fraud linked to debit and credit accounts possibly compromised by the P.F. Chang's. In fact, one payments fraud expert, who asked not to be named, says issuers are confused about exactly just how big the P.F. Chang's compromise could ultimately be.
"I think some issuers are wondering if the fraud alerts they are getting cover both P.F. [Chang's] and Pei Wei locations or not," the expert says. "That part is confusing to many who are left wondering if they are going to get more later for the other brand."
Pei Wei is a U.S. fast-casual chain owned and operated by P.F. Chang's.
Breadth of Breach
Visa and P.F. Chang's declined to comment about the timeline of the breach, which the restaurant chain began investigating earlier this month. But executives with several leading U.S. card issuers say suspected compromise dates provided by Visa raise more questions, rather than providing answers. MasterCard had yet to contact any of the banking institutions that communicated with Information Security Media Group about the P.F. Chang's compromise.
One executive with a leading issuer says Visa's alert suggests that fewer debit and credit accounts were impacted than initially suspected. "With that, I would suspect they may not be focusing on every location or they have missed a lot of accounts on the initial notification and subsequent notifications may be coming," the executive says.
An executive at another card issuer says the new timeline for the breach suggests a stronger connection to previous retail compromises, which could be a good thing for issuers that have already replaced cards impacted by the breaches at Target, Sally Beauty and Michaels.
The executive also points out that if the same cards were impacted by some of those earlier reported breaches, then Visa likely removed those numbers from the alerts issued earlier this week.
Whether P.F. Chang's compromise is linked to other retail breaches, such as Target, has not yet been confirmed (see P.F. Chang's Breach: Link to Target?).