UPDATED: P.F. Chang’s confirms ‘data has been compromised’

By Erin Ayers on June 11, 2014

pfchangbaltimoreP.F. Chang’s, a national chain of restaurants, this week confirmed that it is investigating a possible data breach of customer credit card information.

“P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more. We will provide an update as soon as we have additional information,” said Anne Deanovic, a spokesperson for the company.

Brian Krebs, a journalist focused on privacy and security issues, broke the news, reporting dozens of freshly-stolen debit and credit card numbers being sold on underground websites.

P.F. Chang’s has over 204 locations across North America, South America and the Middle East. The Asian-themed restaurant states in its privacy policy that the type of personal information it collects “depends on what you do when you visit our restaurants or websites or use our mobile applications.” It advises that name, email address, address, telephone number, or credit card information could be collected if provided by consumers.

The chain also notes that it uses a variety of tracking technologies for advertising and targeted marketing purposes. Whenever a consumer visits the P.F. Chang website, the system will collect information from their computer or device, such as device identifier, the type and version of Internet browser software used, and the operating system. Locational information via geo-tracking may be collected if permitted on the device being used and collected to send targeted marketing messages to consumers, the company reports.

On June 13, P.F. Chang’s contacted Advisen with a statement from CEO Rick Federico indicated that “data has been compromised.”

“On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants,” Federico stated. “Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.”

Federico added that P.F. Chang’s has switched to a manual credit card imprinting system at all P.F. Chang’s China Bistro restaurants in the continental U.S., to allow customers to safely use credit and debit cards while the investigation proceeds.

Federico also noted that the company has set up a website, located at pfchangs.com/security, for guests to find answers and get updates.

“Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements,” Federico said. “Any suspected fraudulent activity should be immediately reported to their card company.”


Erin is an editor at Advisen. She has 15 years of journalism experience. Prior to Advisen, Erin covered property-casualty insurance for 13 years as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at eayers@advisen.com.