P.F. Chang's confirms theft of customer card data

Asian-themed restaurant says it will switch to old-style card imprint system after learning that customer data and debit card information was stolen.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

June 12, 2014 11:42 p.m. PT

2 min read

Restaurant chain P.F. Chang's confirmed Thursday that customer data and debit card information was stolen in a data breach at its store locations.

The Asian-food chain, which announced earlier this week it was investigating a possible theft of customer data, offered few details of the intrusion but said in a statement it was temporarily switching to a manual credit card imprinting system for all of its restaurants in the continental US.

News of the breach was first reported by security researcher Brian Krebs, who identified card numbers that had popped up for sale on the Internet black market as being used by P.F. Chang's customers between March and May 19.

The restaurant chain said in a statement Thursday that it first learned of the security breach from the US Secret Service on June 10. In addition to assisting in the federal investigation, P.F. Chang's said it has retained a team of third-party forensics experts to determine the scope of the exposure.

"Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements," the company's statement reads. "Any suspected fraudulent activity should be immediately reported to their card company."

The company also said it was temporarily moving to a system in which credit card purchases would be recorded in an old-fashion credit card imprint system that produces carbon copies of the credit card for the card holder's signature. A spokesperson for the chain told Krebs that it would also be deploying dial-up credit card readers to store locations to process charges.

The revelation comes amid an apparent uptick in security breaches at retail locations. Retail giant Target revealed in December that hackers had obtained the sensitive, personal information for more than 100 million customers who shopped in its stores late last year. The chain's CEO later confirmed that hackers had infected Target's point-of-sale terminals with malware to steal the payment card information.

In April, arts and crafts retail chain Michaels Stores revealed that two separate security breaches at point-of-sale terminals last year at its US stores and its Aaron Brothers subsidiary may have exposed nearly 3 million credit and payment cards. Security firms hired to investigate the breaches said attackers used highly sophisticated malware that neither had seen before.