Nationwide restaurant chain P.F. Chang’s Chinese Bistro on Thursday confirmed news first reported on this blog: That customer credit and debit card data had been stolen in a cybercrime attack on its stores. The company had few additional details to share about the breach, other than to say that it would temporarily be switching to a manual credit card imprinting system for all P.F. Chang’s restaurants in the United States.
In statement released to this reporter this evening, P.F. Chang’s said it first learned of the breach on June 10, the same day this publication pointed to evidence that the eatery chain may have been compromised. Their complete statement is as follows:
“On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.
At P.F. Chang’s, the safety and security of our guests’ payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.
We have also established a dedicated public website, pfchangs.com/security, for guests to receive updates and answers to their questions.
Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company.
We sincerely regret the inconvenience and concern this may cause for our guests.”
Asked for clarification on what manual credit card processing means, a spokesperson for P.F. Chang’s said “all domestic P.F. Chang’s branded restaurants in the Continental U.S. will be retaining the carbon copies. P.F. Chang’s is also deploying dial-up card readers to restaurants that will be plugged in via the PSTN fax line and used to process the slips.”
This manual check-out process was actually witnessed today by an incident handler at the SANS Internet Storm Center, who reported that “the bartender placed the bill down along with a manually run credit card from one of the ole’school card imprinters.”
Well, maybe there is something to be said for security by obscurity.