PF Chang's says breach was 'highly sophisticated criminal operation'

But the restaurant chain still hasn't said how many cards were affected or how the data was stolen

Restaurant chain P.F. Chang's China Bistro says the theft of credit and debit card information from some of its restaurants earlier this year was "part of a highly sophisticated criminal operation."

But the chain, which only discovered the breach after a large batch of card numbers were offered on an Internet forum, said it's still working with the U.S. Secret Service and forensic experts to determine exactly what happened.

"We continue to make progress in our investigation into the recent security compromise that affected P.F. Chang's," said Rick Federico, CEO of PF Chang's, in a statement posted Tuesday on the company's website. "We will continue sharing important details once they have been confirmed by a team of third-party forensic experts."

The statement was the first update issued by the company in three weeks and didn't add much additional information to what was already known: that an attack apparently hit the point-of-sale systems in the company's restaurants and sucked up card numbers used between March and May of this year.

After the breach was discovered June 10, the restaurant switched to manual card imprinters in its restaurants, which were later processed via an encryption-enabled terminal that works on a dial-up fax line. Additional terminals have recently been delivered to restaurants to decrease the reliance on the hand-operated imprinters, the company said.

The breach was the latest in a string of attacks against point-of-sale systems at major U.S. retailers. In late 2013 around 70 million customer records were compromised in an attack on Target stories and criminals also targeted Nieman Marcus.

In those attacks, payment card details were grabbed by malicious software after cards were swiped. P.F. Chang's has yet to disclose specific details about how attackers gained access to card information in its system.

A recent survey determined such breaches are speeding adoption of chip-based payment cards in the U.S.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags P.F. Chang's China Bistrosecuritydata breach

More about IDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts