theDocumentId => 1278577 P.F. Chang's Confirms Security Breach

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

P.F. Chang's Confirms Security Breach

After initial silence, P.F. Chang's restaurant chain goes live with website disclosing information on stolen credit card data.

Restaurant chain P.F. Chang's Thursday confirmed that it is investigating a security breach affecting credit and debit card data that may have been stolen electronically from some of its restaurants.

After initially declining to confirm reports about the breach, P.F. Chang's Thursday launched a website devoted to updating customers on the status of the investigation, which the company says is being conducted in conjunction with the US Secret Service and a team of third-party forensics experts.

The website offers few details on the compromise, so far, other than that it involves "credit and debit card data reportedly stolen from some our our restaurants." This wording has caused many experts to conclude that the breach occurred in P.F. Chang's point-of-sale (POS) systems, though the chain has not confirmed this conclusion. P.F. Chang's says it has reverted to a manual card imprinting system at all of its China Bistro-branded restaurants in the US until the investigation is complete.

The incident was not discovered by internal security staff, but was reported to the restaurant chain by the Secret Service on June 10, the website says.

Industry observers noted that the breach is another in a long line of data compromises that have occurred in the retail industry over the past year, including incidents at Target, Neiman-Marcus, and the Sally Beauty retail chains.

"This isn't surprising," says Philip Casesa, director of IT/service operations at (ISC)2, a leading association of security professionals. "In fact, it seems to follow the same MO as the Target and Sally Beauty attacks,
where point-of-sale machines with traditionally weak security were targeted. Large retailers maintain centralized connections to these machines for updating, and an attacker can exploit that to distribute malware efficiently and collect large swaths of magnetic stripe data from the cards. Without proper detection of this malware on the retailer's part, these breaches can run almost unfettered until the attackers have enough or their exploit window is somehow closed."

P.F. Chang's decision to go back to manual, paper-based credit card processing is a short-term answer, experts say.  

"Going to the use of carbon forms together with payment information isn't as crazy as it sounds," says Dwayne Melancon, CTO at security firm Tripwire. "After all, if you're not sure which of your data systems you can trust, why would you put even more data into those systems?

"Carbon forms aren’t practical in the long term, though. The risk in paper-based collection is that many retailers no longer have effective processes or employee training designed to secure, monitor, and control physical card slips. A paper-based approach may reduce one specific type of risk, the risk still exists; the data protection problem has just changed form."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 11:27:39 AM
Re: Carbon
Agreed, makes me wonder how PF Changs expects to process all credit cards with carbon imprints.  All of my cards are printed on and not raised.

I'm afraid this will lead to them writing down numbers on paper instead which is far less secure.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/16/2014 | 3:15:45 PM
Re: Carbon
Card technology needs to be impoved dramatically. It will be a huge investment but the greater security and less chance of data loss will benefit all in the long run. How many more retailers getting hit will it take for everyone to get the hint that something must change?
theb0x
50%
50%
theb0x,
User Rank: Ninja
6/15/2014 | 2:51:31 PM
Carbon
I would like to point out that more secure credit/debit cards do not have raised numbers. It is all printed directly on the card.  Cards that contain this feature do not leave traceable imprints on a person's receipts or card sleeve inside their wallet or purse. Simply sketching a pencil and paper over the imprinted object reveals it all. This is all accomplished with out the physical card.

It's more than the security of POS systems we need to be concerned about.


Looks like I'll be paying cash because carbon doesn't work on me.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32790
PUBLISHED: 2021-07-26
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoi...
CVE-2021-32791
PUBLISHED: 2021-07-26
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV ...
CVE-2021-32792
PUBLISHED: 2021-07-26
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePos...
CVE-2021-25801
PUBLISHED: 2021-07-26
A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.
CVE-2021-25802
PUBLISHED: 2021-07-26
A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.