Endpoint // Privacy
6/14/2014
00:00 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

P.F. Chang's Confirms Security Breach

After initial silence, P.F. Chang's restaurant chain goes live with website disclosing information on stolen credit card data.

Restaurant chain P.F. Chang's Thursday confirmed that it is investigating a security breach affecting credit and debit card data that may have been stolen electronically from some of its restaurants.

After initially declining to confirm reports about the breach, P.F. Chang's Thursday launched a website devoted to updating customers on the status of the investigation, which the company says is being conducted in conjunction with the US Secret Service and a team of third-party forensics experts.

The website offers few details on the compromise, so far, other than that it involves "credit and debit card data reportedly stolen from some our our restaurants." This wording has caused many experts to conclude that the breach occurred in P.F. Chang's point-of-sale (POS) systems, though the chain has not confirmed this conclusion. P.F. Chang's says it has reverted to a manual card imprinting system at all of its China Bistro-branded restaurants in the US until the investigation is complete.

The incident was not discovered by internal security staff, but was reported to the restaurant chain by the Secret Service on June 10, the website says.

Industry observers noted that the breach is another in a long line of data compromises that have occurred in the retail industry over the past year, including incidents at Target, Neiman-Marcus, and the Sally Beauty retail chains.

"This isn't surprising," says Philip Casesa, director of IT/service operations at (ISC)2, a leading association of security professionals. "In fact, it seems to follow the same MO as the Target and Sally Beauty attacks,
where point-of-sale machines with traditionally weak security were targeted. Large retailers maintain centralized connections to these machines for updating, and an attacker can exploit that to distribute malware efficiently and collect large swaths of magnetic stripe data from the cards. Without proper detection of this malware on the retailer's part, these breaches can run almost unfettered until the attackers have enough or their exploit window is somehow closed."

P.F. Chang's decision to go back to manual, paper-based credit card processing is a short-term answer, experts say.  

"Going to the use of carbon forms together with payment information isn't as crazy as it sounds," says Dwayne Melancon, CTO at security firm Tripwire. "After all, if you're not sure which of your data systems you can trust, why would you put even more data into those systems?

"Carbon forms aren’t practical in the long term, though. The risk in paper-based collection is that many retailers no longer have effective processes or employee training designed to secure, monitor, and control physical card slips. A paper-based approach may reduce one specific type of risk, the risk still exists; the data protection problem has just changed form."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 11:27:39 AM
Re: Carbon
Agreed, makes me wonder how PF Changs expects to process all credit cards with carbon imprints.  All of my cards are printed on and not raised.

I'm afraid this will lead to them writing down numbers on paper instead which is far less secure.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/16/2014 | 3:15:45 PM
Re: Carbon
Card technology needs to be impoved dramatically. It will be a huge investment but the greater security and less chance of data loss will benefit all in the long run. How many more retailers getting hit will it take for everyone to get the hint that something must change?
theb0x
50%
50%
theb0x,
User Rank: Moderator
6/15/2014 | 2:51:31 PM
Carbon
I would like to point out that more secure credit/debit cards do not have raised numbers. It is all printed directly on the card.  Cards that contain this feature do not leave traceable imprints on a person's receipts or card sleeve inside their wallet or purse. Simply sketching a pencil and paper over the imprinted object reveals it all. This is all accomplished with out the physical card.

It's more than the security of POS systems we need to be concerned about.


Looks like I'll be paying cash because carbon doesn't work on me.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio