P.F. Chang's China Bistro confirmed a credit card data breach impacting all 211 of its restaurants and indicated that digital forensics investigators are still determining the scope of the attack.
In an announcement today, Rick Federico, CEO of the Scottsdale, Ariz.-based restaurant chain, said the company is still in the preliminary stages of the investigation and didn't have a time frame that the attackers gained access to the data. The company was informed that it may be the source of a credit card leak on Tuesday, he said.
"Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised," Federico said in a statement. "We encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company."
Federico said the company is still accepting credit card payments through a manual imprinting process while it investigates the extent of the incident. The company informed credit card issuers, and also obtained legal counsel that specializes in data privacy, he said.
The data security breach was first reported by Brian Krebs, an independent reporter who writes about credit card theft and organized cybercrime. On Tuesday, Krebs reported that a website that specializes in selling stolen credit cards and other data was flooded with thousands of credit and debit cards. Krebs reported that the banks he contacted said that all the cards were used at P.F. Chang's restaurants between March 2014 and May 19, 2014.
Security experts in the channel say the latest string of credit card breaches helps put a much-needed focus on security. Since the massive Target Breach last November, attackers using similar tactics stole credit card data from Neiman Marcus, Michaels Stores and Sally Beauty, among others.
The merchants are required to meet the Payment Card Industry Data Security Standards, but attaining the spirit set out in the guidelines requires an ongoing assessment of the payment network and proactive monitoring of the systems associated with it, said Mike Cotton, vice president of research and development at San Antonio-based Digital Defense, a firm that specializes in conducting audits on risk assessments of corporate networks.
"Everyone agrees that the existing compliance standards that have been put in place need to evolve to keep up with the latest tactics attackers are using," Cotton said. "From my perspective working with a number of institutions, I can say without a doubt that the security postures are improving but it's a constant battle being waged out there."
Business owners are at a disadvantage because of growing network complexity that breeds configuration weaknesses, software applications riddled with vulnerabilities and employees that can be easily lured into clicking on links or giving up sensitive information, said Robert McMillen, president of All Tech 1, Tigard, Ore.
"These breaches show how not putting dollars into personnel and stronger processes to support the equipment and software can lead to a very bad incident," McMillen said. "It's not just a problem for large-scale companies like these, because smaller companies can't absorb the fallout; they're at risk of losing everything."
Breaches of this kind will continue for years to come because attackers are continually one step ahead of police and the available defenses, said Bob Coppedge of Hudson, Ohio-based managed service provider Simplex-IT. Cybercrime has become a massive business with organized cybercriminal groups in Eastern Europe, Russia and Asia at its core, he said.
"Just about anyone can carry out an attack with the automated tools that are available today, but these latest big breaches are very clearly well planned," Coppedge said. "The war against the bad guys is not going to be won anytime soon."
PUBLISHED JUNE 13, 2014