P.F. Chang's May Have Leaked Info on Thousands of Credit Cards

June 11, 2014

The restuarant chain may be the latest victim of point-of-sale card heisters.

P.F. Chang’s China Bistro may have killer lettuce wraps, but the jury is still out on the status of its security profile: the nationwide chain is investigating a possible breach involving credit and debit cards used at its locations between March and May 19 of this year.

Brian Krebs, the security researcher that broke the Target breach story, said that on June 9, thousands of fresh, purloined credit and debit cards went up for sale in the same underground cyber-crime store that sold the millions of Target cards. The new batch is going for from $18 to $140 each, depending on type and threshold (platinum vs. standard, for instance). They’re being advertised as “100 percent valid,” meaning none of them have yet been canceled by banks.

“The new batch of stolen cards, dubbed ‘Ronald Reagan’ by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty,” Krebs noted in a blog detailing the situation.

Looking to season the stir fry of evidence, as it were, Krebs contacted several banks, which said that the cards in question had all had been used at P.F. Chang’s locations within the aforementioned time period. For its part, P.F. Chang’s said that it “has been in communications with law enforcement authorities and banks to investigate the source,” but it so far hasn’t been able to confirm a compromise.

Unfortunately, that lack of visibility is endemic, researchers said. “Once an attacker is on your network, they have plenty of time to go after customer data, intellectual property or government secrets without being detected, which is why companies are being told they have been breached versus detecting it themselves,” said Eric Chiu, president and co-founder of HyTrust, in an email. “Organizations need to shift to an 'inside-out' model of security, and assume the attacker is already on the network.”