American Chinese restaurant chain PF Chang has said it is investigating a report of a possible data breach involving credit and debit card data.
According to USA Today, the data may have been stolen from restaurant locations nationwide. The chain has 211 P.F. Chang’s locations in the USA, and 192 Pei Wei Asian Diner restaurants. Initially detected by security blogger Brian Krebs, who found that customer data from thousands of credit and debit cards previously used at P.F. Chang’s restaurants went up for sale on an underground website.
Anne Deanovic, a spokeswoman for the chain, said: “P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more.”
Eric Chiu, president and co-founder of HyTrust, said: “The recent report of a potential breach at PF Chang’s is yet another reminder that breaches are happening more and more from the inside with companies like Target, eBay and Edward Snowden as prime examples. Once an attacker is on your network, they have plenty of time to go after customer data, intellectual property or Government secrets without being detected which is why companies are being told they have been breached versus detecting it themselves.
“Organisations need to shift to an ‘inside-out’ model of security and assume the attacker is already on the network. Critical systems and data need to be secured from the inside through access controls, role-based monitoring and data encryption, especially with highly concentrated environments leveraging virtualisation and cloud infrastructure.”
Mark Bower, vice president of product management and solution architecture at Voltage Security, said: “This breach is yet more proof that merchants need to heed Visa’s repeated warnings about point-of-sale malware risks and adopt a comprehensive data security approach to removing live data from vulnerable systems.
“The best practice advice includes end-to-end or point-to-point encryption of card data from secure readers before it even arrives in POS memory, tokenization for any post-sale or stored card processes, and EMV for future chip card acceptance. Other quick service restaurants, hospitality retailers and large merchants are already using this approach without impacting restaurant or merchant services, all the while making data useless to attackers. It’s not hard to do, so why continue to bet on not being breached when the cost impact can be so huge.”