14 DAY TRIAL // In a statement providing updated information on the security breach at several of its restaurants in the US discovered in June, P.F. Chang's China Bistros confirms 33 locations whose payment processing systems have been compromised and the time frame the data is believed to have been stolen.
The news about the incident broke on June 10, when the restaurant was alerted by the US Secret Service that a compromise of credit and debit card data might have occurred at some P.F. Chang's locations in the US.
An investigation was initiated in cooperation with third-party forensics experts to determine the extent of the incident.
Although the compromise has been acknowledged, the evaluation of the systems could not offer information “that any specific cardholder's credit or debit card data was stolen by the intruder,” the CEO of P.F. Chang's, Rick Federico, said in the statement.
The info potentially stolen includes the card number and in some cases the name of the owner and/or the card's expiration date.
From the details provided by the company, the earliest sign of intrusion was detected on October 10, 2013, and the breach lasted until June 11, 2014.
Affected locations are in cities in Arizona, California, Florida, New York, New Jersey, Virginia, Missouri, Tennessee, Pennsylvania, North Carolina, Ohio, Oklahoma, Colorado, Illinois, Maryland, Nevada, Texas and Washington. The full list of cities is available on this page.
One of the immediate measures taken by the restaurant to ensure that their payment systems did not inflict any compromise risk to their customer’s financial information was to switch to an old-school method for processing card data, manual card imprinting.
The credit and debit card information stolen from P.F. Chang’s restaurants went on sale on underground forums for prices between $18 (13EUR) and $140 (104 EUR). The authors of the breach appear to be Russian, according to the forum post and the fact that the advertiser asked to be paid on days that were not official Russian holidays, referring to this fact specifically.
“P.F. Chang's encourages its guests to remain vigilant and seek to protect against possible identity theft or other financial loss by reviewing account statements for any unusual activity, notifying their credit card companies, and monitoring their credit reports. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus,” said Federico.
Furthermore, customers can place a “fraud alert” on their financial files with any of the three credit bureaus, at no charge.
A rough estimation of the total amount of cards that could have been compromised told of more than 7 million. However, this number is likely to be an exaggeration in view of the new details, considering that it took into account all 204 P.F. Chang’s locations in the United States.