P.F. Chang’s China Bistro is investigating reports of a breach after data from thousands of credit and debit cards were discovered being offered online on a notorious underground forum.
The presence of the cards on rescator[dot]so was first reported by security blogger Brian Krebs. It is the same site where cards belonging to victims of the Target breach were sold. According to Krebs, several banks said the latest collection of cards had all been used at P.F. Chang locations between March 1 and May 19.
Update: P.F. Chang’s Confirms Payment Card Breach: Reverts to Imprinting Devices
“P.F. Chang’s takes these matters very seriously and is currently investigating the situation [and] working with the authorities to learn more,” a company spokesperson told SecurityWeek. “We will provide an update as soon as we have additional information.”
According to Krebs, the banks reported that the cards were stolen from P.F. Chang restaurants in Maryland, Florida, Pennsylvania, Nevada and North Carolina. There are more than 200 P.F. Chang restaurants in the United States. The company also operates Pei Wei Asian Diner, which has roughly 200 locations as well.
“Organizations are so focused on what is coming into their networks they don’t pay enough attention to what is going out,” said Chester Wisniewski, senior security advisor at Sophos. “The card issuers have far better analytics to find these types of patterns. They call it CPP for common point of purchase. When you have fraud or find 100 or so of your cards on a carder forum you start to look for patterns or CPPs. This is how most card breaches are discovered in my experience.”
Steve Hultquist, chief information officer and vice president of customer success at RedSeal Networks, noted that the complexity of modern networks makes securing them challenging.
“Let’s face it, attempting to focus on every possible path through a network is impossible for any human being,” he said. “The only way to protect an organization from these ongoing threats is to clearly know that your network is defending your data in both directions. And the only way to do that is with systems that analyze all the possible paths and maps them to expected network security architecture.”
Update: P.F. Chang’s Confirms Payment Card Breach: Reverts to Imprinting Devices