P.F. Chang's has confirmed that earlier reports of a data breach involving stolen credit and debit card information are indeed accurate. According to a statement from CEO Rick Federico, the chain is currently investigating the issue with the United States Secret Service and a "team of third-party forensic experts to understand the nature and scope of the incident." P.F. Chang's does not know how many customers have been affected, but earlier reports note that the info stolen is from cards used at U.S. locations of the chain between March and May of this year.
Security blog Krebs on Security notes that a group of credit card numbers tied to the P.F. Chang's breach became available on Rescator, an underground website used by criminals to purchase credit card data. (It's the same site that was involved in the recent breaches at Target and Neiman Marcus.) The credit card numbers and codes can be purchased via Western Union transfers or Bitcoin because obviously, "customers cannot pay for the goods using [physical] credit cards." The data for each card from the P.F. Chang's breach is priced between $18-$140.
P.F. Chang's is still accepting debit and credit cards at all locations. However, the company has resorted to using old school "manual credit card imprinting" machines. The machines involve making carbon copies of credit cards. Besides being inconvenient, carbon copies are easier to misplace at the restaurant level. Perhaps the breach at P.F. Chang's shouldn't come as a huge surprise: A 2012 report notes that "restaurant credit card machines account for over half of reported hacker attacks." So, bring cash the next time you're craving lettuce wraps or soggy wontons. See the statement from P.F. Chang's:
STATEMENT FROM RICK FEDERICO CEO OF P.F. CHANG'S
On Tuesday, June 10, P.F. Chang's learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.
At P.F. Chang's, the safety and security of our guests' payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang's China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.
We have also established a dedicated public website, pfchangs.com/security, for guests to receive updates and answers to their questions.
Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company.
We sincerely regret the inconvenience and concern this may cause for our guests.