P F Chang’s chain suffers breach - thousands of cards for sale online

Newly stolen credit and debit card details, from cards used in P F Chang’s China Bistro, a nationwide American chain of restaurants, went on sale on an underground website this week at a site best-known for selling off the details of victims of the Target data breach. The new breach was again reported by cybersecurity journalist Brian Krebs.

The Verge reports that the scale of the breach is still unknown, but that banks contacted by Krebs said that the details all appeared to come from cards used in-store between, “March 2014 and May 19, 2014.”

The Register reports that the chain has confirmed that data has been leaked from multiple branches - and has resorted to using carbon paper card machines as a defensive mechanism. The move hints that, as with the Target breach, the card data could have leaked due to malware in point-of-sale terminals.

In a statement, Chang’s said, “On Tuesday, June 10, P.F. Chang's learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.”

The restaurant has established a dedicated site for diners worried that their details may have leaked in the attack. ESET security researcher Lysa Myers offers tips for diners worried that they may have used their cards in a location leaking data to cybercriminals here.

The chain has 211 locations in America, as well as sites in Mexico, Canada and the Middle East, and a subsidiary chain Pei Wei’s Asian Diner, with 192 location, the Verge reports.

Krebs says that, according to banks his site has contacted so far, the cards appear to have been used at American branches of the restaurant.

The cards - which are being sold as sequences of numbers from the magnetic stripes on the reverse of cards - are advertised as “100% valid” and described as a “super fresh dump” - and being sold at prices ranging from $18 to $140 depending on credit limit and other factors. The advertisement suggests that the cards come from a fresh hack where users are unaware their details may have been compromised, Krebs says - hence the claim “100% valid”.

The Verge reports that if all branches of Chang’s and Pei Wei’s Asian diner have been affected, the numbers involved could be up to two million.

The story of Krebs’ exclusve revelations of data breaches and other major stores has been optioned as a feature film by Sony, as reported by We Live Security here. The studio has bought the rights to the New York Times article, "Reporting From the Web’s Underbelly," which told Krebs’ story in the wake of his exclusive revelations about the data breach at Target.