The breach at P.F. Chang’s China Bistro may have stretched on longer than some thought.
According to reports, the breach may go back as far as September 2013, roughly nine months before it was first discovered.
According to Krebs on Security, Visa issued an alert June 17 to a bank notifying them that hundreds of cards were exposed Sept. 18, 2013. Though the alert did not specifically mention P.F. Chang’s, the bank had purchased more than a dozen cards being sold on a cybercrime forum that has been exclusively selling cards stolen from P.F. Chang’s. Every one of the cards was listed in the alert from Visa, according to Krebs.
P.F. Chang’s did not respond immediately to a request for comment. Previously, the restaurant chain said it learned of the compromise June 10, and immediately began cooperating with the U.S. Secret Service as well as third-party forensics experts.
“At P.F. Chang’s, the safety and security of our guests’ payment information is a top priority,” spokesperson Anne Deanovic said in a statement June 12. “Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.”
If the breach did stretch on for nine months, it would not be the first time that significant time went by before a security breach was plugged. According to the Verizon’s 2014 Data Breach Investigations Report, weeks and months often went by in the cases they investigated in 2013 before the breach was discovered. The Target breach went undiscovered for more than two weeks before the attack was uncovered.
TK Keanini, CTO of Lancope, said that the incident shows that early forms of detection need to be implemented by businesses to keep this from happening “over and over again.”
“The detection here is much too late in the chain of events as the retailer is only made aware that they have been compromised when someone finds their stolen customer data on the black market,” he said. “While this is a form of detection, it is the most expensive form.”
According to reports, banks reported the cards were stolen from P.F. Chang’s China Bistro restaurants in Maryland, Florida, Pennsylvania, Nevada and North Carolina. There are more than 200 of the restaurants in the United States. The company also operates Pei Wei Asian Diner, which has roughly 200 locations as well, but that chain has not been implicated in the breach.