After investigating a possible data breach involving customer credit and debit cards, restaurant chain P.F. Chang's
has confirmed it was compromised. The confirmation comes after the company was contacted by the United States Secret Service and law enforcement last week over a possible cyberattack. An online listing of card data was reportedly found by a security researcher indicating the source as P.F. Chang's.
It took the company two days to confirm the breach, after being originally notified on June 10. According to CEO Rick Federico, P.F. Chang's began working on the investigation with the Secret Service to determine the truth of the claim. While the investigation is still said to be in the preliminary phases, the company has found that their data had indeed been compromised.
Security consultant Brian Krebs initially reported on the data breach, after finding a list of data for sale on an underground website. While the data isn't exact card numbers, it contains the data recorded in the magnetic strips, which can be coded into fake cards. The listing, which contains approximately 5,000 cards at minimum, was said to be from the restaurant chain after several banks purchased and tested cards.
In response to the data theft and subsequent investigation, P.F. Chang's announced that it would be moving to a manual card printing method to process card transactions.
"At P.F. Chang's, the safety and security of our guests' payment information is a top priority," said CEO Rick Federico. "Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang's China Bistro-branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues."
Krebs followed up
with the chain to get clarification on what the manual process entails. A spokesperson said all restaurants in the continental United States would keep carbon copies on hand. They would use dial-up card readers over public switched telephone network fax lines to process the transactions, foregoing standard electronic transmission methods.
P.F. Chang's still doesn't mention how many cards have been compromised, but it is still investigating who and how many customers were involved. The company setup a security page
on its website to keep customers apprised of the situation. It asks that any customers monitor their cards and report any suspect activity to the card issuer.
With the confirmation, P.F. Chang's becomes the fifth large retailer to be hit by a data breach in the last year. It follows major breaches from Target, Neiman Marcus, Sally Beauty and Michael's.