P.F. Chang's China Bistro said Friday morning that there has been a breach involving data from customers' credit and debit cards used at its restaurants, confirming a report out earlier this week.
After learning of the breach Tuesday, the company "initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised," P.F. Chang's CEO Rick Federico said in a statement.
He said the company has created a website, pfchangs.com/security, for customers to receive updates and answers to their questions, and it has moved to a manual credit card imprinting system.
Federico said the company is encouraging its patrons "to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company. We sincerely regret the inconvenience and concern this may cause for our guests."
The Scottsdale, Ariz.-based restaurant chain has 211 P.F. Chang's locations in the USA and 192 Pei Wei Asian Diner restaurants.
The initial report on the breach came from cybersecurity blogger Brian Krebs, who has uncovered previous data breaches at retailers such as Target.
His website, KrebsOnSecurity, said customer data from thousands of credit and debit cards previously used at P.F. Chang's restaurants went up for sale on an underground store best known for selling data from tens of millions of cards stolen in the Target breach.
Krebs reported that he contacted banking sources who said the cards had been used at P.F. Chang's locations from the beginning of March to May 19.
KrebsOnSecurity.com said the most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and "planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines."
Once they get the data, thieves can re-encode it onto new counterfeit cards and use them to buy expensive goods that can be resold for cash, KrebsOnSecurity reported.
"The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems," it said.