Restaurant chain P.F. Chang’s China Bistro said on Tuesday that it is investigating claims of a data breach which may have led to debit and credit card details being posted on an underground forum.
According to journalist Brian Krebs, thousands of freshly stolen debit and credit cards appeared for sale on “carding” website Rescator on Monday.
The Rescator website is perhaps best known for its selling of tens of millions of the cards swiped as part of the Target breach.
Krebs contacted several banks and was informed that all of the stolen cards had been used at P.F. Chang’s restaurants across the United States between the beginning of March and 19 May this year.
In an emailed statement Anne Deanovic, a spokeswoman for P.F. Chang’s said:
P.F. Chang's takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more. We will provide an update as soon as we have additional information.
The restaurant chain, owned by Centerbridge Partners, operates 211 stores in the US as well as additional eateries in Argentina, Canada, Chile, Mexico, Puerto Rico and the Middle East.
According to Krebs, banks have reported that the cards were only stolen from restaurants in the States, specifically in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina.
We don’t yet know how it happened, although recent breaches such as that at Target and Neiman Marcus were as a result of attacks on point of sale (POS) systems. These kinds of attacks occur when thieves plant malware onto cash registers which then records the data stored on the magnetic strip of any swiped card.
Though retailers are required to encrypt payment card details, in some cases the data is briefly held in the computer’s memory in its unencrypted form, presenting an opportunity for the RAM to be scraped.
When payment card data is acquired by this method it can be re-encoded onto blank cards which are then just as good as the real thing.
Krebs reports that the stolen card details from P.F. Chang’s are being sold on Realtor for anywhere between $18 and $140 each (the price varies according to the issuing bank and likely credit limit for each card).
In either event, if this latest breach is confirmed, the costs will likely be significant – the Consumer Bankers Association and the Credit Union National Association put the cost of replacement cards following the Target breach at over $200 million.