P.F. Chang's China Bistro Inc. is investigating a possible data breach involving customers’ credit and debit card data stolen at its restaurants, the company said Tuesday.

Stolen credit and debit card data was put up for sale on an underground Internet site Monday, according to Brian Krebs, founder of KrebsOnSecurity.com, a website that covers computer security and cyber crime.

"P.F. Chang's takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more,” said Anne Deanovic, a spokeswoman for Scottsdale, Ariz.-based P.F. Chang's, in a statement, adding, “We will provide an update as soon as we have additional information.”

P.F. Chang’s China Bistro had 211 U.S. units at the end of 2013, according to Nation’s Restaurant News’ Top 100 research, and sales of about $899.6 million. Its sister concept, Pei Wei Asian Diner, has 199 restaurants, including eight franchised locations, and systemwide U.S. sales of $332.6 million. They are owned by Centerbridge Partners L.P., a private equity firm.

Banks told Krebs that the data breach appeared to involve cards used at P.F. Chang’s locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina, between the beginning of March and May 19.

Data breaches have been an ongoing and troubling issue for many companies for years. Several high-profile retailers have fallen victim to data breaches in just the past six months. Target Corp. in December suffered a breach involving 40 million credit and debit cards. It eventually led to the ouster of the company’s chief executive, as well as its chief information officer. Another retailer, Neiman Marcus, reported a breach in January of about 1.1 million customer records.

Restaurant chains have been hit by hackers before, including a case involving 11 Dave & Buster’s units and data taken from 81,005 cards in May 2009.

Financial consequences of a security breach add up quickly in terms of reputation and brand damage, lost productivity, lost revenue, and more.



The restaurant industry has started to prepare for changes in credit card technology and policies that will impact retail merchants in October 2015.

Major credit card companies are spearheading a switch from magnetic stripes to the EMV standard widely followed outside of the U.S., aimed at better protecting merchants and issuers from fraud losses at the point of sale. The standard requires cards have embedded chips that protect sensitive customer data using encryption.

In the suspected P.F. Chang’s case, Krebs wrote that “the items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).”

The most common means of theft involve the thieves hacking into cash registers at retail locations and planting malicious software that records magnetic-stripe data as the cards are swiped at the machine.

Krebs’ research in the Chang’s case found that customer data was priced at $18 to $140 per card.

“Many factors can influence the price of an individual card,” Krebs noted, “such as whether the card is a Visa or American Express card; similarly, platinum and business cards tend to fetch far higher prices than classic and standard cards.”

Contact Ron Ruggless at ronald.ruggless@penton.com.
Follow him on Twitter: @RonRuggless