Quick Hits

P.F. Chang's The Latest Target?

The restaurant chain is investigating a possible data breach.

Another day, another retail breach. The P.F. Chang's restaurant chain is investigating reports of a possible hack that may have exposed customer payment card information.

KrebsOnSecurity reported late yesterday that a new batch of thousands of stolen cards, including credit card numbers that had been used at P.F. Chang's restaurants, landed on a carding site best known for selling stolen payment data from Target.

"P.F. Chang's takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more. We will provide and update as soon as we have additional information," a P.F. Chang's spokesperson said in response to an inquiry about a possible breach.

Security experts have been expecting more retailers to come forward in the wake of high-profile breaches at Target, Michaels, Neiman Marcus, and Sally Beauty.

Will Gragido, director of security intelligence at NSS Labs, says this latest possible retail breach is yet another example of companies learning from third parties that they've been owned.

"This new P.F. Chang's breach continues an ongoing trend of high profile breaches where the company seems to have no internal awareness about its occurrence until this external notification of private information has been exposed, and the focus for identification is all occurring post-breach," Gragido says. "With the increasingly frequent attacks against the retail industry and POS infrastructure, it appears there is a larger systemic issue at play, and it is likely that these breaches will continue."

He says POS systems are not being properly secured. "The fact that retailers are being more heavily targeted than perhaps ever before suggests that there are fundamental flaws in the security programs and controls which govern the point of sale [PoS] infrastructures serving these environments. It's been my experience that most retailers do not place the same level of scrutiny on their PoS infrastructure as they do on their internal infrastructures."