14 DAY TRIAL // The computation took into consideration the possibility that the company’s restaurants had in fact been leaking credit card data for a period of nine months, since September 2013.
According to KrebOnSecurity, Visa released a CAMS (Compromised Account Management System) alert on June 17 informing that hundreds of cards had been exposed in a recent breach that actually started on September 18.
CAMS alerts are generally circulated privately by card associations to banks that issue their cards, in order to inform them that certain cards have been involved in a data breach incident. The banks can then take the necessary steps for mitigating the damage.
Although the CAMS notification did not mention that the breach had occurred at P.F. Chang’s, one of the banks that contributed to breaking the news of the incident “purchased more than a dozen cards sold from an underground store that’s been exclusively selling cards stolen in the P.F. Chang’s break-in, and every one of those cards was listed on the June 17 CAMS alert from Visa,” says KrebOnSecurity.
At the moment, there is no clear information about the number of cards that were stolen, but Brian Krebs made some computations that included the income statement of the company for the first quarter of 2012, an estimate of the average customer’s bill and the number of P.F. Chang’s locations affected.
The estimation is that the restaurants processed about 800,000 credit and debit cards per month. Multiplied by the number of months provided by the Visa CAMS alert, this gives a total of 7,200,000 cards.
Of course, these are just estimates, but they are based on old information and rough calculations. The number could be much higher, or it can very well not reach this figure.
The results of the initial investigation revealed that the batch of stolen cards that were for sale on the underground forum have been used in locations in the US only, like Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina.
Also it appears that the seller is Russian because he instructed customers not to transfer the money for the items during the days of a Russian national holiday. The price for the cards varies between $18 (13EUR) and $140 (104 EUR).
As a precaution to future customers, P.F. Chang’s switched to charging the cards through a manual credit card imprinting system. This has been implemented in all their locations in the continental US.