Nearly two months ago, security blogger Brian Krebs broke the news about a credit card data breach at the chain restaurant P.F. Chang’s. This week the company’s CEO has posted an update regarding the compromise along with a list of Frequently Asked Questions.
Many in the SecureState office noticed that at least one important question was left off the list: why was card data allowed out of the network in the first place? The information security industry as a whole has started to move to a mentality of “when, not if” with regards to being hit with malware or other threats, but there are still many layers of security that can be put in place to keep a Trojan from turning into a breach that gets you on front page media in a bad way.
If you think you are seeing double, it might be because SecureState wrote about the need for segmentation and egress filtering just days ago. We’ve seen many cases to date where supposedly PCI-compliant organizations have no egress filtering in place on a cardholder data environment, and this is certainly not going to be the last.
On an unrelated note, the question about the timing of the incident was also left unanswered despite making the FAQ list. Having participated in my share of credit breach investigations, I understand that this can be one of the most difficult factors to pinpoint, so that can have a pass for now. However, this is yet another breach that went undetected by the merchant until another party (in this case, the Secret Service) alerted them. Not only does this reflect poorly on the chain’s security efforts, it also sets back investigation timelines while the PFI company tries to validate the window of intrusion.