Endpoint // Privacy
6/14/2014
00:00 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

P.F. Chang's Confirms Security Breach

After initial silence, P.F. Chang's restaurant chain goes live with website disclosing information on stolen credit card data.

Restaurant chain P.F. Chang's Thursday confirmed that it is investigating a security breach affecting credit and debit card data that may have been stolen electronically from some of its restaurants.

After initially declining to confirm reports about the breach, P.F. Chang's Thursday launched a website devoted to updating customers on the status of the investigation, which the company says is being conducted in conjunction with the US Secret Service and a team of third-party forensics experts.

The website offers few details on the compromise, so far, other than that it involves "credit and debit card data reportedly stolen from some our our restaurants." This wording has caused many experts to conclude that the breach occurred in P.F. Chang's point-of-sale (POS) systems, though the chain has not confirmed this conclusion. P.F. Chang's says it has reverted to a manual card imprinting system at all of its China Bistro-branded restaurants in the US until the investigation is complete.

The incident was not discovered by internal security staff, but was reported to the restaurant chain by the Secret Service on June 10, the website says.

Industry observers noted that the breach is another in a long line of data compromises that have occurred in the retail industry over the past year, including incidents at Target, Neiman-Marcus, and the Sally Beauty retail chains.

"This isn't surprising," says Philip Casesa, director of IT/service operations at (ISC)2, a leading association of security professionals. "In fact, it seems to follow the same MO as the Target and Sally Beauty attacks,
where point-of-sale machines with traditionally weak security were targeted. Large retailers maintain centralized connections to these machines for updating, and an attacker can exploit that to distribute malware efficiently and collect large swaths of magnetic stripe data from the cards. Without proper detection of this malware on the retailer's part, these breaches can run almost unfettered until the attackers have enough or their exploit window is somehow closed."

P.F. Chang's decision to go back to manual, paper-based credit card processing is a short-term answer, experts say.  

"Going to the use of carbon forms together with payment information isn't as crazy as it sounds," says Dwayne Melancon, CTO at security firm Tripwire. "After all, if you're not sure which of your data systems you can trust, why would you put even more data into those systems?

"Carbon forms aren’t practical in the long term, though. The risk in paper-based collection is that many retailers no longer have effective processes or employee training designed to secure, monitor, and control physical card slips. A paper-based approach may reduce one specific type of risk, the risk still exists; the data protection problem has just changed form."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 11:27:39 AM
Re: Carbon
Agreed, makes me wonder how PF Changs expects to process all credit cards with carbon imprints.  All of my cards are printed on and not raised.

I'm afraid this will lead to them writing down numbers on paper instead which is far less secure.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/16/2014 | 3:15:45 PM
Re: Carbon
Card technology needs to be impoved dramatically. It will be a huge investment but the greater security and less chance of data loss will benefit all in the long run. How many more retailers getting hit will it take for everyone to get the hint that something must change?
theb0x
50%
50%
theb0x,
User Rank: Moderator
6/15/2014 | 2:51:31 PM
Carbon
I would like to point out that more secure credit/debit cards do not have raised numbers. It is all printed directly on the card.  Cards that contain this feature do not leave traceable imprints on a person's receipts or card sleeve inside their wallet or purse. Simply sketching a pencil and paper over the imprinted object reveals it all. This is all accomplished with out the physical card.

It's more than the security of POS systems we need to be concerned about.


Looks like I'll be paying cash because carbon doesn't work on me.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.