Industry News

Hacked restaurant chain goes back to the 1970s, to protect itself from hackers

Security blogger Brian Krebs was the first to blow the whistle earlier this week on a serious data breach at the US-based P. F. Chang’s China Bistro chain of restaurants.

The breach, since confirmed by the casual dining chain, saw thousands of stolen credit cand debit card details placed up for sale on cybercrime websites with the common factor being that they had all been used at a branch of P.F. Chang’s between early March 2014 and May 19th 2014.

The stolen information could be used by criminals to create the magnetic data strips for counterfeit cards that could be used to make fraudulent purchases of expensive luxury items.

CEO Rick Federico (he doesn’t sound very Chinese…) posted a statement on the company’s website, directed at concerned customers.

I was disappointed to notice that it didn’t include words like “sorry” or “apologise”.

On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.

At P.F. Chang’s, the safety and security of our guests’ payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.

We have also established a dedicated public website,, for guests to receive updates and answers to their questions.

Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company.

We sincerely regret the inconvenience and concern this may cause for our guests.

Although no apology is yet forthcoming from P.F. Chang’s to customers who might be understandably concerned about what might happen to their finances (the most the company extends is its “sincere regret”), they are taking one dramatic step to avoid having more credit card information sucked out of their company.

Remember these? If you were born before the 1980s you probably will.

If you’re over a certain age you’ll recognise the above as a credit card imprinter – the clunky kerrrr-chunk device that retailers used to use on those rare occasions when someone tried to pay for goods and services with a credit card rather than cash or a cheque.

They were heavy, unwieldy and slow. But, for the time being at least, they are going to be a regular site at P.F. Chang’s.

In an FAQ on its website, P.F. Chang’s goes out of its way to assure diners that they should now be safe to use their credit cards to pay for their thai beef noodle salad and organic agave margaritas:


Yes. All P.F. Chang’s China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions. This allows you to use your credit and debit cards safely.

What next? Companies turning off their computers and resorting to abacuses and slide rules when their computers get hacked?

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.