ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Hack Report: P F Chang's China Bistro and Subsidiaries

Updated on December 29, 2018

Published June 29, 2014

by Rachael O'Halloran

IMPORTANT UPDATE: July 1, 2014 and August 5, 2014 at end of this article.

Data Breaches = Hacked Accounts

| Source


Lately, I have been losing a lot of faith.

Oh, not in God .... just in people and technology. I'll tell you why.

There have been companies who reported to the Attorney General or who have been notified by the United States Secret Service that they have had a "data breach" - in other words, they've been hacked - but they choose to wait a couple of months to file the actual report with the Attorney General's office in their state. After learning of it, many choose not to notify the public.

Some companies don't even bother reporting it at all, which I just don't "get." In my opinion, there should be hefty fines in place for non-compliance, so that they must file a report. They are putting the public at risk by denying them the knowledge that their information has been compromised.

They have reasons for not complying, almost all the reasons are financial and reputation oriented.

Watchdogs who learn of breaches have been the heroes for notifying the public of the data breaches.

On the flip side, you have companies who have been hacked (yes, they actually hate that word and that's too bad!). Their spokesperson makes public statements for their company that minimizes the actual damage or extent of the breach. Often they "fudge" on the actual breach dates, either intentionally or because they haven't done enough homework to see how far back the breach dates.

In other words, they glossed over it.

I don't like "glossing over" tactics.

In fact, I hate them!.

These companies make me mad. If they don't think enough of putting out an "All Points Bulletin" to notify the public that their databases, credit card networks, etc. have been compromised (i.e. Hacked), then I will.

In an effort to air as much of their dirty laundry as possible, I have decided to create my own "Hacking Report."

This is the first report of many and I will keep updating them as more information or solutions become available.

Feel free to SHARE this article, but please do not copy it.

Use the share buttons on the right side of your screen if you want your friends on social networks to read this article.

If you want to email your friends the link, use this one:


Definition of Data Breach

Even if you have not been a visitor to P F Chang's China Bistro or their other restaurants, this report still has important information in what exactly happens to your credit or debit card data when it has been stolen from an establishment in some manner or if there has been a "data breach."

Data Breach

"Data breach" is a information technology, governmental and finance term meaning "your personal information has been hacked."


P F Chang's China Bistro

P F Chang China Bistro was hacked. What started out small, got bigger and bigger as time went by.
P F Chang China Bistro was hacked. What started out small, got bigger and bigger as time went by. | Source

P F Chang's China Bistro Breach

Dates of Breach:

P F Chang said they learned of it on June 10, 2014 when they were notified by the United States Secret Service. But by the end of the second week in June, the agency said the breach spanned from March 20, 2014 to May 30, 2014. Now it is the end of June and published accounts state that the dates are far more long range than originally reported. The dates are now September 18, 2013 through June 11, 2014

Date of Report:

June 12, 2014

Number of People Affected:

An "estimated" 2 million credit card accounts, which includes all patrons who visited any of over 65 US based P F Chang restaurants, over 40 international locations, their 66 Flemings Steakhouse locations or 20 of their fast food chain "Pei Wei" for a total of over 190 locations.


One of the many duties of the United States Secret Service is to investigate breaches of counterfeit debit and credit cards.

P F Chang's data breach has the potential to become a rather large breach given the total number of locations P F Chang's owns, the fact that their payment systems are linked and that an "estimated" 2 million credit or debit cards are involved. There could be more.

I'm a bit peeved with the wording of the company's initial statement because I feel it can be taken two ways and is rather misleading to the public.

Read the following statement and see what conclusion you come up with. I provided you with the link under the screenshot to show you that I didn't alter the quote and so you can read more of the company's statement.


P F Chang's Spokeswoman's Statement


"Where stolen credits cards were used at several of its restaurants experienced fraud on them"

Did you arrive at the same conclusion as I did? Did you take the statement to mean ...

See results

Wording of P F Chang's Statement

Thank you for answering the poll question.

To me, the statement implies that there were stolen credit cards used at their restaurants when in fact, the credit card data was stolen from their network, not the other way around.

The wording "experienced fraud on them" is just an odd choice of words in any vernacular, in my view.

To the average reader, the statement that "stolen credit cards were used at several of its restaurants and experienced fraud on them" could mean that P F Chang's got stiffed for their bill when someone used stolen credit cards at their restaurant.

You can see how a few words can change the total meaning of the incident.

To be clear: If you used your credit or debit cards to pay your food check at any P F Chang locations or their subsidiaries, be aware that their network has been hacked. All credit and debit card data has been compromised (stolen).


What Happens After Your Data Is Stolen

Several online security experts, whom I follow as subscriber to their blogs, strongly feel and in the last couple of weeks have provided proof that there might be a connection to the November 2013 breach of 40 million credit cards stolen from Target and 282,000 from Sally Beauty Supply Company because many of the stolen credit and debit cards from P F Chang's network breach have already been offered for sale online at the same underground credit card website.

1. The website "Rescator" is a black market site that sells stolen codes from credit card magnetic strips either individually or in bundles called dumps. (see photos in the sidebar)

  • On June 9th, Rescator started advertising (for sale) thousands of newly acquired (stolen) debit and credit cards. An "investigator" gained access to their forum, purchased some of the cards and they have now been verified to have been used at P.F. Chang’s locations from March 20 to May 30, 2014.
  • According to the investigator who made the purchase, Rescator is using the tag "Ronald Reagan batch" to identify this load of cards.
  • On June 10th, P.F. Chang's received a warning from the U.S. Secret Service that its network may have been compromised. There's no proof it was the same hacker. It could have been just a coincidence of timing. But I doubt it; I'm not a believer in this type of coincidence.

2. Rescator guarantees valid cards. The card numbers are worth more shortly after stealing them, before the fraudulent transactions start getting noticed at Points of Service and before banks and consumers become aware that their card has been breached.The longer Rescator holds on to them, they risk the cards getting flagged at Points of Service, making them worthless to their buyers.

  • The way they validate them is they do test purchases on batches of cards (usually on internet) to make sure the cards are accepted and that the charges go through.
  • With this knowledge, they are able to validate 100% that the cards are usable. The higher the validity rate, the more reliable the seller's reputation and the higher price he can get for the card. If the card proves not to be usable, the buyer is given a credit toward another card, but no refund. However, word gets around fast if someone's purchase was flagged and it is only a matter of time before more cards are flagged in that "batch."


Company Website

In my screenshot photo below of what P F Chang put up on their website to answer security concerns, please note #1 where they say "credit and debit card data reportedly stolen from some of our restaurants."

Then note #8 where they say "we do not yet know which credit or debit cards may be involved. P.F. Chang's has notified the credit card companies and is working with them to identify the affected cards."

P F Chang's Security Page

Fleming's Steakhouse & Wine Bar


Fraud Spikes

P F Chang's spokeswoman said that "the payment card industry is closely monitoring cards used at all three restaurant chains for signs of fraud. So far no fraud spikes have been noted."

  • That means that no credit card agency has reported them being used to rack up charges.
  • My thought is -- if you don't know which cards were stolen, then how would you know which ones to be on the alert as being used fraudulently?

If a fraud spike starts, it will make the thief have to sell the cards very quickly to get the most amount of use out of them before they are flagged by the credit card companies as stolen.

If Rescator's "Ronald Reagan batch" indeed contains P.F. Chang's data, incidents of fraud will soon spike when real card owners report charges on their bills that are not their purchases.

  • There are 1,650 Ronald Reagan cards being advertised for sale on Rescator, priced from $18 for a prepaid Visa debit card to $140, based on card types and credit limits.
  • UPDATE: On June 15, 2014, Rescator site began listing for sale bulk discounts of 100 dumps ($2,000), 200 dumps ($3,500), and 300 dumps ($4,500).

They are trying to get rid of them fast.

It is still not clear HOW the card data was stolen from P F Chang. It could have been done the same way it was done at Target when malware was implanted at the point-of-sale terminals that grabbed data from cards as soon as they were swiped, and before the information was encrypted. Or there could have been a physical hack into their payment network.

The United States Secret Service is still investigating this case. As it is updated, so shall this hub.


Pei Wei Asian Diner


P F Chang's Solution

As of this writing, the P F Chang stopped swiping cards on Point Of Service terminals and are now doing business "the old-fashioned way" -- with manual imprinting machines for each credit card. They feel that this will make customers feel safe when using their credit cards at their establishments.

Now all they have to worry about is the carbon paper copies.

However, this is not the best solution because credit card companies stopped making embossed cards after learning that the raised lettering on credit cards was easy to duplicate to create stolen cards. So the new embossed cards can only be swiped through a card reader, not a manual imprint machine.

If patrons can't use their credit cards, I guess they better get acquainted with cash.

Or eat at home.


Were you affected?

Were you a customer of any of the P F Chang restaurants (Fleming's, Pei Wei) during the breach dates of September 2013 to June 2014?

See results

UPDATE: July 1, 2014

According to, P F Chang's China Bistro has been hit with a class action lawsuit due to the above reported security breach at their restaurants.

The lawsuit was filed on Thursday June 26, 2014 in US District Court in Illinois by John Lewert, an Illinois resident seeking monetary and statutory damages. He claims that around April 3, 2014 he used his debit card to make a purchase and that by using that debit card, it he had an "implied contract" with the restaurant that they would protect his debit card information. The data breach, he said, violated the contract by exposing his personal information.

It is interesting to note that this lawsuit says that P F Chang's has confirmed the breach of at least seven million debit and credit cards, whereas the report I read to write this article approximated the number at two million.

As I said earlier in my article, this breach has the potential to go large and I don't believe we have heard the end of it yet. This is just one class action lawsuit involving undetermined number of litigants because it is still collecting information from those affected.

You can read the 18 page complaint here but the gist of it is that the lawsuit is asking for a JURY TRIAL as well as:

  1. Ordering P.F. Chang’s to pay actual damages to Plaintiff and the other members of the Class;
  2. Ordering P.F. Chang’s to pay for not less than three years of credit card monitoring services for Plaintiff and the other members of the Class;
  3. Ordering P.F. Chang’s to pay punitive damages, as allowable by law, to Plaintiff and the other members of the Class;
  4. Ordering P.F. Chang’s to pay statutory damages, as provided by the Illinois Consumer Fraud and Deceptive Business Practices Act and other applicable State Consumer Fraud Acts, to Plaintiff and the other members of the Class
  5. Ordering P.F. Chang’s to disseminate individualized notice of the Security Breach to all Class members and to post notice of the Security Breach in all of its affected stores;
  6. Ordering P.F. Chang’s to pay attorneys’ fees and litigation costs to Plaintiff and the other members of the Class;

There are more but those are the highlights. Number five is the one that will literally destroy this company by having them destroy their own reputation. It asks that the company post notices in all their "affected" restaurants (I'm assuming subsidiaries as well) to let the patrons know of the security breach - which they will probably be reading as they stand in line waiting to be seated!

Anyone interested in joining this class action lawsuit, please contact:

Joseph J. Siprut EMAIL:
Gregg M. Barbakoff EMAIL:
Gregory W. Jones EMAIL:


Regular Postal Mail, Address your inquiry to:

17 North State Street
Suite 1600
Chicago, Illinois 60602

PHONE: 312.236.0000
FAX: 312.267.1906

Update: August 5, 2014

SC Magazine is reporting that P F Chang's security breach of June 2014 was only affected at 33 of its locations and not all of its locations, as they previously had thought. Read more at the link.

Rachael O'Halloran, June 29, 2014

© 2014 Rachael O'Halloran


Submit a Comment
  • RachaelOhalloran profile imageAUTHOR

    Rachael O'Halloran 

    5 years ago from United States


    I have to cool it or get booted. lol

    Thanks for reading. I'm glad you enjoyed it.

  • FlourishAnyway profile image


    5 years ago from USA

    I am a little late to this party, Rachael, but I like this new series of yours! Thankfully I am not a customer there.

  • RachaelOhalloran profile imageAUTHOR

    Rachael O'Halloran 

    5 years ago from United States


    Yes, it would have been better, but they claim they didn't find out until the US Secret Service notified them that there was some underground activity regarding their establishment and some data they had seen in hacker forums and other places. Whether they knew anything before the Secret Service told them is up for debate.

    Paying cash is the safest way to protect your credit data. I hope you paid cash :) Thanks for reading and commenting.

  • teaches12345 profile image

    Dianna Mendez 

    5 years ago

    I do love their food but haven't eaten there in quite awhile. It is a shame they did not report it to the public, it would only have made them look responsble and reliable to patrons. Thanks for the warning.

  • RachaelOhalloran profile imageAUTHOR

    Rachael O'Halloran 

    5 years ago from United States


    I'm glad I never ate there too. lol

    Thanks for reading and commenting

  • vkwok profile image

    Victor W. Kwok 

    5 years ago from Hawaii

    I'm not surprised that PF Changs' hearing from the lawyers and am sure that more are on their way. Glad I didn't eat there before. Great hub!

  • RachaelOhalloran profile imageAUTHOR

    Rachael O'Halloran 

    5 years ago from United States


    Aw, thanks. Thanks for voting and commenting too :)

  • breakfastpop profile image


    5 years ago

    You are performing a public service! Fortunately the food there stinks so I never go! Voted up, useful and awesome.

  • RachaelOhalloran profile imageAUTHOR

    Rachael O'Halloran 

    5 years ago from United States

    They are saying the breach was at the point of sale machines - where the cards get scanned to send info to their Payment Center. All their stores use the same Payment Center, so how the other 2 escaped getting hacked too is interesting.

    The hackers either implanted something into their scan machines OR they hacked the computer that sends the info to the Payment Center before it got encrypted. That is how many of the stores are getting hacked now because after Target found actual readers on their equipment, hackers won't be trying that again anytime soon. It is far easier to crack the code OR to send malicious malware in to reroute the info to their computers.

    Another option is Brute Force, where about one hundred computers attack the mainframe and get the info that way, as was done with a wireless network to hack their wi-fi back in January 2014.

    Unless P F Chang's had some way to profit from the black market sales of the info, I don't think they were in on it at all. I think they were just plain stupid - because they didn't know about it until Secret Service told them. I could be wrong, of course, I've been wrong a lot, but when more of this story comes out, that is when we will know.

    Thanks for writing :)

  • bravewarrior profile image

    Shauna L Bowling 

    5 years ago from Central Florida

    Who in the hell would buy credit card info without having the plastic in their hands? I can see how that would work for online purchases, but in a brick and mortar building????? No! That tells me P.F. Chang's was in on the scam. What other explanation could there possibly be?

  • RachaelOhalloran profile imageAUTHOR

    Rachael O'Halloran 

    5 years ago from United States


    1. How does Rescators get the credit cards? Some of them are hackers, and the rest are fences for the hackers. Rescator is an underground credit card forum for black market sales of stolen card (actually numbers though, not cards).

    2. Are they stealing information or the actual cards?

    No, just The info on the magnetic strip

    3. And what are they selling to the public?

    They are selling the credit card numbers on the credit card, not the actual card, although a card can be made from the information.

    They are selling all the information which is all on the magnetic strip - (personal information of the credit card holder not limited to the birth date, password on the online credit card account, your bank name where your bill is paid from or debited from if debit card, credit limit, the expiration date, name -address -social security number, phone number, mother's maiden name, favorite pet name, the 3 digit code on back of the card and whatever other information you gave to the credit card company when you got the card and when you opened an online account.)

    And why on Earth did P.F. Chang's wait to friggin' long to notify the public? Were they in on it????????

    That's the million dollar question. They claim they knew nothing about it until the Secret Service came to notify them on June 12, 2014. It was only a few days later that it was learned the breach was not limited to March to May 2014 but went back further.

    Who's to say it is true what they proclaim - that only the PF Chang restaurants are affected. 3 months from now, we may hear it was Flemings and Pei Wei too. All on same payment network, so how did they escape being hacked?

    There's more to this story than we are being told.

    Thanks for reading and commenting :)

  • RachaelOhalloran profile imageAUTHOR

    Rachael O'Halloran 

    5 years ago from United States


    As I have learned in the few short years I've been at this, nothing is safe. Because it is OUR information, companies feel no allegiance to us to safeguard it.

    We are the ones who spread our information around the most because it is required of us everywhere we go. How are we ever to safeguard it if everyone and his brother has to know it?

    None of our information is safe. It is input by humans, and they have access.

    It is read by humans, and they have access.

    It has to be referred to and verified for approval of other accounts and services, and so more eyes have access.

    And finally, a frigging computer program has access and if a hacker gets into the program - which is the most likely place to get tons of info at one haul - then the whole world has access.

    Nothing is safe.

    Thanks for reading and commenting :)

  • RachaelOhalloran profile imageAUTHOR

    Rachael O'Halloran 

    5 years ago from United States


    Thank you for reading and agreeing :)

    Your vote is appreciated as well as your comment.


  • WillStarr profile image


    5 years ago from Phoenix, Arizona

    All these companies assure us that our information is safe with them, so they are afraid to admit that they were wrong. But they owe it to their customers to warn them so they can cancel their cards.

  • Maggie.L profile image


    5 years ago from UK

    Thanks for highlighting what's happening here. I also thought the wording was very misleading. A really well covered hub. Voted up.

  • bravewarrior profile image

    Shauna L Bowling 

    5 years ago from Central Florida

    Fortunately, I've never been a patron of this chain or its affiliates. How does Rescators get the credit cards? Are they stealing information or the actual cards? And what are they selling to the public? This is mind-boggling.

    And why on Earth did P.F. Chang's wait to friggin' long to notify the public? Were they in on it????????


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)