The extent of the breach and, indeed, the breach itself is yet to be officially confirmed by the company, but according to bank sources interviewed by Brian Krebs, some of the compromised cards have been used at various P.F. Chang’s locations between early March and May 19, 2014.
“P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more,” the company commented. “We will provide an update as soon as we have additional information.”
A strong indication that the company has suffered a breach came in the form of an ad on the popular carder store Rescator(dot)so on June 9. The seller offered a "fresh" batch of card data for prices between $18 to $140 per card, and said that they are "100%" valid, which seems to imply that the breach happened recently and has not yet been detected and, therefore, the cards in question have not yet been cancelled.
"The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example)," Krebs explained.
The number of compromised cards is unknown. According to bank sources, the data was apparently stolen from P.F. Chang's restaurants in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina. It's believed that the attackers managed to compromise the establishments' point-of-sale (POS) systems.
Additional guidance in the ad on how to pay for the data dump points to the criminals behind this breach being from Russia and/or Eastern Europe.