P.F. Chang’s China Bistro said Tuesday that it is investigating a potential security breach that may have led to the theft of information from thousands of customer credit cards.
The possible theft was first reported by Brian Krebs, a security blogger, who noted thousands of fresh credit cards appeared on Rescator, a so-called carding site that was used to sell payment data after last year’s Target network breach. Data from the magnetic strips of the latest stolen cards is selling for between $18 and $140 per card.
Krebs said representatives from affected banks had purchased several stolen credit cards from carding sites and discovered that many were used recently at P.F. Chang’s.
"P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more," Anne Deanovic, a spokeswoman for the company, based in Scottsdale, Arizona, said in a written statement. "We will provide an update as soon as we have additional information."
Deanovic said the company had not yet tied fraudulent activity on customers’ credit cards to the possible breach. The Secret Service, which has been conducting an inquiry into recent hacks at Target, Neiman Marcus and others, did not immediately return a request for comment.
P.F. Chang’s was acquired by private-equity firm Centerbridge Partners LP in 2012 for $1.1 billion. It operated 200 Asian restaurant bistros and some 170 Pei Wei Asian Diners at the time of the deal.
It is the first significant appearance of information from stolen credit cards since March, when data from 282,000 cards was tied to a possible breach at Sally Beauty.
If the breach is confirmed, P.F. Chang’s will be the fifth major retail chain — after Target, Neiman Marcus, Michaels and Sally’s Beauty — to acknowledge that its systems were recently compromised. In those cases, criminals installed so-called malware on retailers’ systems, which fed customers’ payment details back to their computer servers.
A report from Bloomberg identified Sears as another company that had been breached, but the company and law enforcement officials have denied the reports.
The tally of customers affected by these recent breaches now exceeds one-third of the U.S. population.