Chinese Chain P.F. Chang’s Hit in Latest POS Scam

The popular Chinese-fusion restaurant chain PF Chang’s has revealed they have been the latest victims of a POS scam, one which claimed the credit and debit card numbers of thousands of customers over a period of around eight months in total.

Up to 33 locations from around the United States were hit by the hack, which represents just under 10 percent of all the restaurants PF Chang’s operates within the country. The attack lasted for longer than any other POS scheme we’ve seen so far, stretching from October of 2013 up until early last month, when the company was alerted to the problem by an independent security agency tasked at keeping these types of threats at bay.

“We have determined that the security of our card processing systems was compromised, and we have reason to believe that the intruder may have stolen some data from certain credit and debit cards that were used during specified time frames at 33 P.F. Chang’s China Bistro branded restaurant locations in the continental United States,” the company said in their official statement addressing the issue.

After discovering the problem, the affected restaurants were brought offline and switched to a carbon copy system, much like those seen in the earliest days of credit cards which make a too-satisfying “CHACHUNK” sound each time your details are swiped and saved.

Unlike the breaches of Target or Neiman Marcus, PF Chang’s believes that a greater breadth of data was picked up by the still-elusive hacker behind the attack, including names and expiration dates, which would allow anyone with the information at hand to commit a large number of assorted financial crimes that might otherwise be limited if they only had access to the numbers on their own.

“The potentially stolen data includes the card number and in some cases also the cardholder’s name and/or the card’s expiration date. However, we have not determined that any specific cardholder’s credit or debit card data was stolen by the intruder.”

This isn’t the first time Chang’s has been hit by an attack of this kind either. Back in June of this year, the company revealed they had lost an indeterminate amount of data over a period of months, and while there has been no confirmation that these two events are related or even possibly one in the same, certain members of the security community believe that the company has simply split up the news of the blow into two sections, hopefully lightening their impact on the business and creating less of a panic which could lead to a decline in sales if their PR team doesn’t handle things carefully enough.

The company has urged anyone who might have frequented their establishment during the aforementioned time period to keep a close eye on their monthly banking statements, and to immediately report any suspicious activity that might pop up as a result of this issue. The full list of affected locations and further details about the problem can be found on PF Chang’s website here.

“P.F. Chang’s encourages its guests to remain vigilant and seek to protect against possible identity theft or other financial loss by reviewing account statements for any unusual activity, notifying their credit card companies, and monitoring their credit reports. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus.”