PF Chang's security breach: Data stolen from 33 locations over 8 months

If you dined at one of these specific restaurants, your credit card details may have been stolen.


Restaurant chain PF Chang's has released fresh details concerning the hack of the chain's credit-card processing terminals across the United States. The operation hit 33 locations and continued for approximately eight months.

On Monday, the company disclosed the locations affected by the cybercriminals. Eight locations suffered data theft from October 2013 until June this year, and a second batch of an additional eight locations was targeted in February ending June 2014. Another 15 restaurants were hit in April, again ending in June. In addition, two other restaurants were stolen from beginning in October and ending in April.

Locations in Arizona, California, Ohio, Colorado and New Jersey were among those that experienced data theft.

In June, the United States Secret Service alerted PF Chang's to the data breach, which the firm later called "a highly sophisticated criminal operation." Third-party forensics teams were drafted to ascertain how the theft was allowed to happen, and it was discovered that PF Chang's card processing systems were compromised.

In a statement, PF Chang's CEO Rick Federico said:

"The potentially stolen credit and debit card data includes the card number and in some cases also the cardholder's name and/or the card's expiration date. However, we have not determined that any specific cardholder's credit or debit card data was stolen by the intruder.

We regret any inconvenience this security compromise may have caused our guests. To better assist our guests whose card data may potentially have been affected, P.F. Chang's has established a confidential hotline to answer questions."

PF Chang's has not determined whether any specific individual's data was stolen and used due to the security breach. While the investigation is still ongoing, the restaurant chain said the data breach has been "contained," and credit card data has been securely processed since 11 June.

Dr. Mike Lloyd, CTO at security firm RedSeal Networks said:

"PF Chang’s statement about the extent of the breach they suffered is commendable -- consumers, investors and regulators demand transparency. However, the time it took is interesting -- it's an example of the "fog of war" that all organizations have to deal with today. Just as in real wars, defenders need to understand where they stand. Unfortunately, terrain mapping is quite hard in the overgrown, complex IT infrastructures we rely on.

Many organizations learn this the hard way -- even when informed they have been breached, they struggle to map out the extent of the attack, let alone understand how it happened, how to stop it, and how to clean up."

The company is offering fraud alert services with credit monitors to customers that may have been affected.

Show Comments