AFP compiles the most alarming—and informative—payments fraud news relevant to corporates in AFP Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization.
Last week, P.F. Chang’s Chinese Bistro confirmed that it had undergone a massive security breach that compromised customer credit and debit cards. Though details of the breach were initially sparse, it is now being reported that the breach may have compromised up to 7 million cards and lasted for at least nine months
P.F. Chang’s said it first learned of the incident on June 10, the same day that Brian Krebs of Krebs on Security revealed evidence that a breach had occurred. On June 9, thousands of newly-stolen credit and debit cards went up for sale
on the Rescator underground card shop, which is best known for selling millions of cards stolen from the Target breach, Krebs noted. Several banks purchased cards back from this back and found that all of them had been used at P.F. Chang’s locations between March and May 2014.
Since the cards were listed on the site as “100 percent valid,” Krebs concluded that P.F. Chang’s only recently learned about the breach. Stolen card batches listed at 100 percent validity on one of these underground sites are an indication that banks have not been alerted to a compromise and have not canceled any of the cards.
Now, Krebs is reporting that the breach began on or around September 18, 2013, before finally coming to a close last week. Whenever data breaches occur, credit card companies issue Compromised Account Management System (CAMS) alerts to banks whose cards are believed to have been affected, he explained. Banks then can reissue cards or take other steps to minimize fraud exposure. On June 17, Visa issued a CAMS alert to one of the banks that had purchased about a dozen cards back from Rescator. Visa informed the bank that hundreds of its cards had been exposed in a breach that dated back to Sept. 18, 2013. Every one of the cards the bank and purchased from the underground site was listed on the CAMS alert.
Additionally, while it is still unclear how many total cards have been compromised, Krebs was able to draw some conclusions after analyzing P.F. Chang’s 2012 income statement. The restaurant change processes about 800,000 credit and debit card transactions per month, Krebs noted. Assuming that the breach affected all 211 of P.F. Chang's U.S. locations, he determined that a nine-month breach may have impacted up to 7 million cards.
BankInfoSecurity noted that so far, fraud experts have not reported any increase in fraud
from the cards used at P.F Chang’s, or from the Pei Wei restaurant chain, which P.F. Chang’s owns. However, the site noted that it expects fraud to spike son, since the word on the breach is now out and fraudsters will want to make their move before the cards are canceled.
For its part, P.F. Chang’s has temporarily moved to an old-school manual credit card imprinting system for all of its U.S. locations. P.F. Chang’s also said it was working with the U.S. Secret Service and a team of third-party forensics experts to discover the cause of the breach.