Security Experts:

P.F. Chang's Confirms Payment Card Breach: Reverts to Imprinting Devices

PF Chang's Data Breach

After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants.

Interestingly, the company also said that it has switched over to manual credit card imprinting systems for all P.F. Chang's China Bistro branded restaurants located in the continental United States. 

The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident.

According to a statement posted to P.F. Chang’s website, the company initiated an investigation with the Secret Service and a third-party forensics firm to understand the nature and scope of the incident.

“Because we are still in the preliminary stages of our investigation, we do not yet know which credit or debit cards may be involved. P.F. Chang's has notified the credit card companies and is working with them to identify the affected cards,” the statement explained.

On Tuesday, security blogger Brian Krebs reported that cards reportedly used at P.F. Chang’s were found at carder forum rescator[dot], which happens to be the same site where cards belonging to victims of the Target breach were sold. According to Krebs, several banks said the latest collection of cards had all been used at P.F. Chang's locations between March 1 and May 19.

In an FAQ posted to its website, the company explained that it has temporarily ditched its electronic Point-of-Sale System in favor of old-school “imprinting devices” to process payments while the company gets the situation under control and understands the scope of the attack.

“All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions,” the company said. “This allows you to use your credit and debit cards safely.”

"With clear details not available on P.F. Chang’s breach, it mirrors the trend we’ve been seeing with other recent high profile data breaches – meaning the response time could be lengthy,” Simon Eappariello, SVP product & engineering at iboss Network Security, told SecurityWeek.

“In looking at the information currently available, the breach could be the result of an attack on POS equipment, or more likely, a central database server – as several P.F. Chang’s locations seem to be implicated in different states.”

“This new PF Chang’s breach continues an ongoing trend of high profile breaches where the company seems to have no internal awareness about its occurrence until this external notification of private information has been exposed and the focus for identification is all occurring post-breach,” Will Gragido, Director of Security Intelligence at NSS Labs, told SecurityWeek.

“With the increasingly frequent attacks against the retail industry and POS infrastructure, it appears there is a larger systemic issue at play and it is likely that these breaches will continue,” Gragido added.

Anyone who has visited a P.F. Chang’s and used a payment card over the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.

The company has also setup a line for customers to call if they have additional questions: 1-877-782-6356.

Related: Cybercriminals Targeting Cloud-Based PoS Systems via Browser Attacks

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.