June 12, 2014

Nationwide restaurant chain P.F. Chang’s Chinese Bistro on Thursday confirmed news first reported on this blog: That customer credit and debit card data had been stolen in a cybercrime attack on its stores. The company had few additional details to share about the breach, other than to say that it would temporarily be switching to a manual credit card imprinting system for all P.F. Chang’s restaurants in the United States.

In statement released to this reporter this evening, P.F. Chang’s said it first learned of the breach on June 10, the same day this publication pointed to evidence that the eatery chain may have been compromised. Their complete statement is as follows:

“On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.

At P.F. Chang’s, the safety and security of our guests’ payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.

We have also established a dedicated public website, pfchangs.com/security, for guests to receive updates and answers to their questions.

Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company.

We sincerely regret the inconvenience and concern this may cause for our guests.”

Asked for clarification on what manual credit card processing means, a spokesperson for P.F. Chang’s said “all domestic P.F. Chang’s branded restaurants in the Continental U.S. will be retaining the carbon copies. P.F. Chang’s is also deploying dial-up card readers to restaurants that will be plugged in via the PSTN fax line and used to process the slips.”

This manual check-out process was actually witnessed today by an incident handler at the SANS Internet Storm Center, who reported that “the bartender placed the bill down along with a manually run credit card from one of the ole’school card imprinters.”

Well, maybe there is something to be said for security by obscurity.

99 thoughts on “P.F. Chang’s Confirms Credit Card Breach

  1. JJ

    To help protect yourself if you don’t use cash, use a credit card and never have a debit card.

    To stop this problem you need to fix the root cause: company executives that incur no personal liability. For all of its faults, when Sarbanes-Oxley threatened jail time for the CEO and CFO, they took notice and complied. For a while, anyway.

    PCI does not work because the card companies refuse to disclose who lost cards and who incurred fines costing how much money. PCI fines have the appearance of hush money to keep the negligent companies out of the news and generating more swipe fees for the card brands and banks.

    Companies cannot live without electronic transactions any more. That gives the card brands a big stick.

    And state laws that exempt banks and others covered by federal regulations are a big part of the problem. There are really no federal disclosure laws. The states should require all entities to file with the AG and they should all publish those filings. No exceptions.

  2. nobody

    Brian, I have told you already on Target’s cracking.
    It was NOT the HVAC guy.
    It was admin in India that were paid off 50+K to allow the backdoor.
    This is the same thing that continues to happen, and yes, that includes P.F. Changs.

    You will note that due to India manipulating their money, that they average software engineer in India makes about $8-10k/year. As such, a simple offer of 5-10 years worth of salary can get you a backdoor into a network of larger profitable western companies like this.

    And this will continue until one of 2 things happen:
    1) India quits manipulating the money and allows it to jump up to about 10-20 rupees / $1, which is where it belongs.
    2) other western companies realize what a horrible security threat this is. You will note that every last company that was cracked in the last 2 years have software/admin going on in India, BUT, do not have any of their retail functions there. IOW, these individuals that sell their service are NOT hurting their own nation as long as others continue to be racists and say that it could not happen. In addition, they are not going to be easily caught.

    1. Michael V.

      I like your theory however can you provide even the slightest bit of proof of this? As you can imagine it appears that you had your job outsourced to India and may just be posting this false info. But please, post some evidence, I would not doubt it.

    2. Ralph Daugherty

      I’d be the last person to defend outsourcing IT to another country (from whatever country you’re in), but this post saying that Indian admins are backdooring the POS systems is dicey technically and presented as racist, which is unacceptable.

      The end result is well established with Brian’s forensics work. Card data is offered for sale by former USSR individuals, the data was gathered by a Windows process that was installed engineered tp look at memory locations of specific POS software running on the PC to copy the card data when it is read and being processed. It is almost certain that this data is socketed to a local server to batch up.

      The premise that an admin installed the software and then delivers the card data files to the Russians would be predicated on the notion that it’s easier and more fool proof to recruit Indian admins contracting to a target retailer, without raising suspicions of anyone who may report it, than to probe IP addresses for Windows servers and break into them.

      Anyone with half a clue knows that the latter is very easy, the former successfully setting up an operation without altering one person who would report the activities very difficult.

      In addition, it was widely reported that the Indian admins acted on software intrusion alerts and the IT staff at Target corporate ignored their reports. So not only did the Indian admins not perform this intrusion, they performed their job and passed on the intrusion alerts.

      An apology for the nature of the post is in order.

      1. Ralph Daugherty

        That should be without “alerting” one person.

        Also I shouldn’t have mentioned anything about the nature of the post, not my place to do that.

      2. nobody

        First, I am married to a southern Indian (Chennai), so your rant about racism is null and void, and quote frankly, speaks volumes about you.

        Secondly, I am a software engineer, but am on medical leave. And considering where I used to work, my job was NEVER threatened by outsourcing.

        Third, look at the facts. You have different companies being cracked and backdoors installed. The first thing in common with those, are the windows system. BUT, you will find that in every single case, that is NOT enough. IOW, these were not frontal assaults. So, what common method was used? You really think that a stolen logon was used? Nope. In fact, I promise you that they have not found a single trace of actual on-site compromises on any of these attacks.

        Instead, in every single case, you will find that all of these compromises just show up. And I promise you, that in nearly all of these cases, that off shoring to nation(s) that have manipulated their money to be much less than ours, has made them the land of cheap promise for these attacks.

        And I will put money down that pf changs, like target and NM, and others, has outsourced to one of several nations vital access. It could just be remote admin, or working on older systems, but they gave remote access to those networks.

        1. Ralph Daugherty

          As a software engineer, you will understand that the POS malware was constructed to spy on specific POS software running at a company. It’s just a matter of running a copy of the POS software under a debugger that can examine the state of Windows and processes running in it, and identify what (relative) location the card data is read into for processing when swiped. Then you write a memory resident process and get Windows to install it. This is done every day when getting malware passed into a PC through various exploits.

          It is much harder to identify Indian admins working for a specific target company, identify that they have the authority to remotely install software from India on the POS’s, and arrange for them to install the malware on every POS in exchange for a bribe, which in itself is a difficult proposition from Russia, but do this without alerting one person to the scheme who reports it to their bosses or to the company they’re doing admin work for. Just one person out of all these corporate contractors mentions it, and it would be known that this takes place. Instead we have you.

          You should be somewhat aware of IP address snooping and identifying Windows servers exposed to the internet, and the exploits I mentioned earlier, only run on the server to establish a breach, then the same or a different exploit used to update the POS’s identified from by IP address snooping on the corporate network.

          This is all standard malware practice, the only tweak is the customized malware to spy on a POS software data location where the card is read and processed. This would require a customized malware for each POS software package.

          The only stupid thing involved here are the Windows IT nitwits who have no more clue about what I just told you than apparently you do. So good luck, this will keep happening because the Russians are smarter than people using Windows for critical business processing. They’ll steal from you all day long, till the cows come home as they say. If I have to put money on the Russians versus Windows admins, it’ll be the Russians.

          1. Ralph Daugherty

            actually, thinking about it, you wouldn’t even need to run the POS software under a debugger or customized for locations in different POS software. They would just have the malware scan memory for card data identifable format info and then focus on that location once found. I was thinking they wouldn’t want to probe all memory and possibly alert AV software but it’s probably a small risk and the malware is good to go on any POS PC.

          2. nobody

            Wowe Ralph. From one insult to another. Just have to love it.

            Several things.
            1) IT in India is very different than in America. It is VERY difficult to get a job there. BUT, once you get it, you pretty much are there for life.
            Now, these people will remain on low pay. However, it is still above others. As such, they will make a big todo of telling others what they do. You have to understand that most male coders/admin/etc there will want to announce it to future bride’s parents, esp. if they are trying to jump caste levels. As such, it is really pretty easy to find out who works where inside of companies.
            2) Russia has CHEAP flights to India. I mean REAL CHEAP. Russia has historically been a tight partner with India, esp. since Nixon threatened Ghandai with a nuke (which was the root cause of what we have nuke proliferation).
            3) As to the issue of intrusion report, they said that sofware monitoring detected various intrusions. They NEVER said that it detected the ORIGINAL intrusion. Only the later ones.
            Re-read what is said.

            I have no doubt that they had people like you in target that ignored the continuing alerts.

            BTW, As I said, my jobs were not threatened by outsourcing.
            I worked on USA PATRIOT act.
            And I have to say, that people like you made my job easy.
            Take care.

            1. Magnum

              So you are one of the a-holes that “worked on the PA”
              VERY LOUDLY –

  3. Eric Chan

    US is the last place to switch to EMV, and the root cause is Visa/Mastercard allowing anybody to use someone else’ credit card number to take money. If PCI requires merchant to protect the credit card number, why do you design it to let everybody can view the credit card number on the card, and allow everybody to read the credit card number from the magnetic stripe?

    1. Danny

      I think you are missing a few things. What happens the first time you go to pay for something and that little mag stripe or chip won’t read properly? Are you just out of luck? That’s why they emboss the numbers on the card so they can still take payment. What if the internet connection or phone line were down? Again, to take manual payments. Consumers will be the ones getting screwed with EMV / chip and pin.

      1. Jonathan

        Eric nailed it: the payment card system was designed to fail in favor of payment. Which is bad for *consumers*, good for HUMANS who haven’t amputated every other part of their humanity.

  4. JJ

    I agree with everything you wrote but want to comment on this one paragraph specifically and not in context of what you wrote:

    “In addition, it was widely reported that the Indian admins acted on software intrusion alerts and the IT staff at Target corporate ignored their reports. So not only did the Indian admins not perform this intrusion, they performed their job and passed on the intrusion alerts.”

    What has never been mentioned is the quality and quantity of alerts passed on. My experience with outsourced monitoring is that they tend to pass on everything to give the appearance that they are doing the job you’re paying them for without providing the pre-filtering that they should be doing so they just pass on other-than-the-noise alerts.

    I never read that the Indian group was an outsourcing company and not Target employees. Are you sure of that?

    On a semi-related note, it appears someone leaked the final report written by Verizon on their investigation of the Stratfor hack. It is at http://cryptome.org/2014/06/verizon-stratfor-hack.pdf and having read some Verizon reports before, it appears authentic.

    It reads just like so many before it except in this case allegedly Statfor hung their payment servers directly on the Internet without a firewall in front of them. They had Cisco ASA’s on the office network with no logging other than memory buffers and the two environments were directly tied together.

    Maybe someday the Target one will see the light of day as well.

    1. Ralph Daugherty

      @JJ, I am not sure if the Indians were employees or contractors, I don’t think it makes much of a difference. Presumably the pay which is what the OP alleges is the basis for bribing would be market value there either way.

      There was a thread here awhile back that had some mention of instrusion software run there at Target and the report is that the intrusion software detected as it should have and the Indians on duty passed on the alert as was their job.

      Could the software have too many false positives and thus all alerts ignored? I suppose, but that’s a function of admin management to tune the parameters if that was the case. In any case had the Indians ignored the alert they would 1) have been wrong instead of corporate and 2) they’d be blamed for allowing the intrusion. Why is Target corporate IT ignoring the alerts not the issue here?

  5. Chelsea Higgins

    One of the most effective steps organizations can take to reduce the risk of accidental or intentional misuse or theft of personal data is to voluntarily undergo a compliance audit provided by a licensed Certified Public Accountant (CPA) and Qualified Security Assessor (QSA) firm like 360 Advanced (www.360advanced.com). 360 Advanced specializes in integrated compliance solutions for information service providers related to internal controls, security, confidentiality, privacy, processing integrity, availability and other elements critical to information surety.

  6. JJ

    Chelsea, seriously? You’re coming across like a shill.

    Accountants are one of the WORST people to perform security assessments because their training and mindset is to follow the rules to the minimum extent possible and check the appropriate boxes. The less the customer of a CPA has to do, the more the CPA is cost-effective for the customer. They’re trained in financials, not operations or even basic IT.

    This is precisely why SSAE 16 assessments and the predecessor SAS 70 are absolutely WORTHLESS in determining the security posture of an organization. Even a SOC 2 Type 2 does nothing but establish that controls are in place and that the controls are followed. But they NEVER evaluate whether they are the proper controls in the first place. They are nothing more than an employment and revenue generator created by accountants and auditors for accountants and auditors.

    QSAs are also compliance-oriented. Compliance is a less-than-minimum baseline for true security because the attackers always know the rules you play under and they will use that against you. QSAs are so interested in the following the letter of the law to stay out of Remediation status that PCI-DSS has become a bad, expensive joke.

    You don’t have to look any further than the PCI SIGs and their guidance. Totally worthless and a waste of a lot of talent. Why? Because they have no standing. The PCI-DSS is controlling and QSAs and merchants/issuers/service providers are permitted to completely ignore the SIG guidance docs. Even if you follow the SIG guidance to the letter, it has absolutely NO bearing on your PCI-DSS compliance status because the DSS is controlling.

    If you want true enterprise security, lose the auditors and accountants and hire people who can think outside of the tired, worn-out controls and implement controls and processes that are based on experience, mistakes made by others and 100% continual vigilance.

    1. Mugs

      One of the best rants, and really true when you talk security concerns with a CFO.

    2. Magnum

      The card brands have purpose-built the PCI-DSS as a profit center. Passing a ROC does not equal a secure infrastructure. For every lock, there is a locksmith.

  7. Mark

    Be sure to ask how they handle, secure, and destroy the imprints afterwards. All part of the PCI DSS.

  8. Linwood

    I have to say that, very simply a string of digits, a few of which are harder to come by than others and some address information are nothing as compared to a more robust “chip on card” interrogation system. A much more effective solution is to offer this sort of 2-factor (or even offer up mobile phone verification on POS systems)

    An entire industry of card information would be rendered at least half as effective just by getting US banks and Credit Card systems on board.


    1. Linwood

      “An entire industry of…” => “An entire industry of stolen card information…”
      Sorry for the incomplete thought.

Comments are closed.