Following about two days of speculation, P.F. Chang's officially announced that it is investigating a breach involving credit and debit cards.
The company learned on Tuesday of a data breach involving payment cards used in some of its restaurants, according to a statement released on Thursday by Rick Federico, CEO of P.F. Chang's.
Details are sparse as an investigation is ongoing with law enforcement and third-party forensics experts.
Federico announced that the company has shifted to a manual card imprinting system for all P.F Chang's China Bistro restaurants in the United States – suggesting that point-of sale (POS) systems may have been compromised.
“Because we are still in the preliminary stages of our investigation, we do not yet know which credit or debit cards may be involved,” according to a FAQ posted to the P.F. Chang's website. “P.F. Chang's has notified the credit card companies and is working with them to identify the affected cards.”
Technology writer Brian Krebs reported on Tuesday that payment card data connected to P.F. Chang's had, a day prior, turned up for sale on rescator.so – the same underground store that was used to sell millions of cards stolen in the Target breach.
Krebs reported that the payment card data was copied from the magnetic stripes on the backs of the cards, which he explained is most commonly stolen in malware attacks on retailer registers – further lending credence to a POS compromise.
In a Friday email correspondence with SCMagazine.com, Adam Bosnian, executive vice president of the Americas at security company CyberArk, speculated that attackers used basic tactics, such as phishing, to steal privileged credentials within the P.F. Chang's network.
“This privileged access is critical because attackers can spiral through a network, hijacking additional accounts, elevating privileges to gain access to additional networks and infrastructure,” Bosnian said. “In a recent similar breach, attackers used this access to implant malware on the POS system to steal card data at the point of sale.”
Based on current information, Bosnian said P.F. Chang's response to the breach has been good; however, he added that shifting to a manual imprinting system is too inefficient in the long-term, and will only serve as a good stopgap measure.
A P.F. Chang's spokesperson deferred a SCMagazine.com request for additional information.