The recently-announced credit card breach at P.F. Chang’s Chinese Bistro appears to have gone on for at least nine months: New information indicates that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11, one day after KrebsOnSecurity.com broke the news about the break-in.
Whenever there is a data breach that jeopardizes credit card accounts, Visa, MasterCard and the other card associations typically issue private Compromised Account Management System (CAMS) alerts to banks that issue their cards. The purpose of those CAMS alerts is to notify those institutions of specific cards thought to have been affected in a breach, so that institutions can re-issue the cards or otherwise take additional steps to manage the fraud exposure on those accounts.
On June 17, Visa issued a new CAMS alert to one of the banks that I worked with in reporting out the P.F. Chang’s story, letting them know that they had many hundreds of cards exposed in a recent breach that dated back to Sept. 18, 2013. That bank had purchased more than a dozen cards sold from an underground store that’s been exclusively selling cards stolen in the P.F. Chang’s break-in, and every one of those cards was listed on the June 17 CAMS alert from Visa.
The Visa document did not name P.F. Chang’s as the source of the breach (CAMS alerts typically do not identify the victim merchant directly). Visa declined to comment for this story. P.F. Chang’s spokeswoman Anne Deanovic declined to answer direct questions about the breach window, saying in a statement Tuesday that the company had not yet nailed down the exact timing of the breach. Deanovic added that there no indications that the breach extended to any of its 192 Pei Wei Asian Diner locations across the country.
It’s not clear how many cards total have been compromised in the breach, but we can make some educated guesses. According to this first-quarter 2012 income statement for P.F. Chang’s, the company’s restaurants bring in approximately $320 million in sales each quarter, or about $100 million per month. Assuming an average customer check of $100 — and accounting for repeat customers and folks who pay in cash — that means PFC locations nationwide probably process approximately 800,000 credit and debit card transactions each month. And this is based on 2012 revenue estimates, so it’s conservative.
Assuming the breach affected all 211 P.F. Chang’s locations in the United States (a safe assumption since P.F. Chang’s recently switched to manual “knucklebuster” carbon-copy card imprinters at all locations), the nine-month breach is likely to have impacted more than 7 million cards.