PF Chang’s data breach lasted 8 months
Asian-themed US restaurant chain P.F. Chang’s China Bistro has finally provided some more details about the breach it suffered earlier this year, including the 33 restaurant locations where the security of their PoS systems was compromised.
The company first found out about the compromise on June 10, 2014, when it was alerted by the US Secret Service. On the very next day, they moved to a manual processing system for all credit and debit card transactions. Once the affected hardware has been replaced, they went back to their standard card processing system.
The subsequent investigation revealed that the initial intrusion dates back to October 10, 2013. The company believes that the thieves made away with card numbers and, in some cases, also the cardholder’s name and/or the card’s expiration date.
The compromised locations are in Arizona, California, Florida, New York, Ohio, Colorado, New Jersey, Pennsylvania, Tennessee, Virginia, Missouri, North Carolina, Oklahoma, Illinois, Nevada, Maryland, Texas, and Washington (full list provided here, as well as the time-frame within which they have been compromised).
The investigation is still ongoing, and there could be more revelations. “P.F. Chang’s is taking steps to protect your credit card information. You are automatically protected with AllClear Secure for the next 12 months – there is no action required on your part to receive this service,” they wrote, adding that it would be a good idea for them to contact credit bureaus and ask them to place a fraud alert on their files.
The stolen card data has appeared for sale on well-known carder store Rescator(dot)so in June, and was sold for prices between $18 to $140 per card.