On June 10th 2014 the staff at PF Chang’s received a visit that they didn’t want to have come knocking on their door. The US Secret Service came calling to alert the restaurant chain that they had been compromised by a criminal gang that was stealing data from their point of sale systems.
Yesterday they posted a list of the 33 restaurants that were involved in the compromise which, they’ve been able to determine, ranged from October 2013 Until June 11, 2014. The compromise has, in their words, now been “contained”.
From P.F. Chang's:
We have determined that the security of our card processing systems was compromised, and we have reason to believe that the intruder may have stolen some data from certain credit and debit cards that were used during specified time frames at 33 P.F. Chang's China Bistro branded restaurant locations in the continental United States. The potentially stolen credit and debit card data includes the card number and in some cases also the cardholder's name and/or the card's expiration date. However, we have not determined that any specific cardholder's credit or debit card data was stolen by the intruder.
I am glad to see that they are managing to get to the bottom of the breach. The question I have is will they share the lessons learned beyond what we already know? In all likelihood we won't see much in the way of detail regarding this incident and that troubles me. Not so much in this particular case but, with regards to the wider discussion that is not being had. In the security space we have become exceptionally adroit at barking at cars and then coming up short when it comes to collectively learning from mistakes and missteps of those in our space.
I cannot help but think of Einstein's position on insanity.
(Image used under CC from gsloan)