Posted by Kevin on June 12, 2014.
Brian Krebs reported Tuesday that fresh credit card details are being offered for sale on the internet. When he approached several banks over the details he found a common denominator: “all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014.”
Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source.”
Banks: Credit Card Breach at P.F. Chang’s
Krebs was further told by the banks that the cards were used in Chang’s sites in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina. The Verge adds “Puerto Rico, Mexico, Canada, Argentina, Chile, and the Middle East” to the list — but this is probably just a mis-reading of Krebs’ initial report.
Neither PF Chang nor law enforcement are giving out any further information — so everything else is supposition. Nevertheless we can draw some tentative suggestions. For example, since it appears that the card details are unencrypted, the likelihood is that RAM-scraping malware was introduced to the POS devices in the bistros themselves. In a PCI-compliant system, this is the primary point at which the details are in plaintext.
Since multiple locations have been affected, it is likely that this was achieved from the inside-out; that is, Chang’s network was first compromised and the malware delivered to the POS devices from the network. That makes it a compromise similar to the one at Target.
So what can we learn from this? Frankly, nothing with any certainty until more details are revealed. But I offer two observations: companies need to act on shared threat intelligence; and they must conduct continuous security response on the assumption (even if not the knowledge) that they have already been breached.
Improved threat information sharing is not going to be the silver bullet we’re promised. IF the breach was actually similar to the Target breach, then Chang’s should have had enough information to prevent their own breach. Sharing threat information will have nil effect if the recipients of the information take no action. [But see Update below.]
The implication from Kreb’s report is that Chang’s was unaware of the breach before being notified either by the banks or Krebs himself. We do not know if this is true. It is possible that they became aware some time ago but were asked by law enforcement and/or forensic detectives to keep quiet while investigations proceeded. If this was not the case it demonstrates two things that are increasingly obvious:
We cannot abandon traditional perimeter defences. They do and will continue to rebuff the everyday hacker. But we must recognise that they will not stop a determined targeted attack. The only solution here is to operate on the assumption that a breach has already happened and to continually monitor the network on and from the inside looking for any tell-tale sign that might indicate the presence or activity of an intruder. It’s not easy, but it must be done.
Update: 19 June 2014
It now appears that the original PF Chang’s breach may have occurred 9 months ago, pre-dating the public disclosure of the Target breach:
Submitted in: News, News_hacks |
The recently-announced credit card breach at P.F. Chang’s Chinese Bistro appears to have gone on for at least nine months: New information indicates that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11, one day after KrebsOnSecurity.com broke the news about the break-in.
P.F. Chang’s Breach Likely Began in Sept. 2013