P.F. Chang’s China Bistro Inc. has provided new details about a security breach discovered in June, saying customer data may have been stolen from 33 restaurants in 16 states, including eight in California.

The restaurant chain said Monday that credit card numbers, expiration dates and, in some cases, cardholder names were stolen over eight months. However, the chain has not yet determined if “any specific cardholder’s credit or debit card data was stolen by the intruder,” according to Chief Executive Rick Federico.

P.F. Chang’s confirmed the data breach June 13, three days after the U.S. Secret Service alerted the chain that its credit card processing systems may have been hacked. The company said the breach occurred between Oct. 19, 2013, and June 11, 2014.

The intrusion was first reported by security blogger Brian Krebs, who said on his website that banks reported data from thousands of customers had been pilfered from locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina, and was being sold online.


Federico said P.F. Chang’s conducted an internal investigation with the help of forensic data experts, and determined the 33 locations affected and specific time frames the credit card processing system was compromised for each.

He also said the company has been processing card data securely since June 11.

Lance Larson, a professor at San Diego State University’s Department of Management Information Systems, said new technology has made it easier for hackers to digitally enter a company and install hacking systems.

“Even if a card has never left the possession of a merchant or customer, it’s able to be stolen and sold online,” Larson said. “People can then purchase anyone’s information on websites and use new equipment to print that card and use it at a real location.”


P.F. Chang’s has about 211 locations in the U.S. and abroad. The company also operates Pei Wei Asian Diner, a more casual Asian restaurant chain with more than 190 U.S. locations, none of which were compromised.

A list of all 33 locations, as well as the dates that cards may have been compromised, can be found at pfchangs.com/security.

Follow @bri_sacks for food-biz news