Recently FBI director James Comey told ABC News that there are two kinds of companies: those that have been hacked and know it, and those that have been hacked and don’t know it. One company, P.F. Chang’s, recently fell into the hacked category, and from our view, their handling is a text-book case in the right way of doing things.
When Comey made his comments, he wasn’t talking specifically about data breaches but this past year is showing the truth of that statement regarding those as well. From the Target and Neiman Marcus data breaches at the start of the year to P.F. Chang’s announcement, 2014 is showing our Chief Technology Officer, Raimund Genes, was right in his prediction of one major data breach occurring each month.
The fact is we live in a world now where data loss and breaches are the norm, not the exception.
In a world where bad things are expected, the measure of a company isn’t whether they prevent the bad thing from happening but instead how they handle it when it does happen. By that measure, we have to give P.F. Chang’s credit for an excellent response to this event.
First, when P.F. Chang’s learned of the data breach in early June 2013 from the United States Secret Service, they took the right step of immediately shutting down the compromised credit card payment processing system and moved back to manual processing of credit cards. This was a huge step and an unusual one. It has a significant negative impact not only on their business operations but on their customer experience. Other companies have chosen not to take this step, presumably because of the impact. But from a security point of view it was the only step guaranteed to bring the impact of the compromise to a close and protect their customers.
Second, they immediately brought in third-party experts to help with a comprehensive investigation rather than choosing to do this in-house. This is increasingly common but is still one that some companies decide against. This is a good step because it brings in specialized expertise that ensures a better investigation. It’s also important from a credibility point of view by bringing in more impartial resources.
Third, to our knowledge, they promptly acknowledged the breach and provided what information they could at the time. Rather than leaving this to be an incident fueled by whisper and supposition, they got in front of the story in June when they learned about it from the Secret Service. They also provided this information clearly on a website with an easy-to-remember and use URL to act as the single, authoritative source of information around the incident: http://pfchangs.com/security/.
Fourth, once they completed their investigation and were able to accurately narrow the scope of the incident, they again provided that information at their authoritative website. The information that they provided was very detailed and specific as far as specific restaurants and dates affected. This allows anyone that has eaten at a P.F. Chang’s to quickly determine if they’re impacted by this event or not.
Finally, at the same time they provided this detailed information they also were ready with a remedy for customers who could be affected. They partnered with AllClear Secure for 12 months to provide protections for those who could be affected. Most notably, they made arrangements so that those who could be affected are protected without taking specific action of their own: they’re automatically protected. In addition to that, they’re also offering a free year of enhanced protection through AllClear Secure for customers who could be affected and choose to enroll. They’ve clearly worked with AllClear to provide protection for their customers and clear information through a dedicated webpage on the AllClear Secure site: https://pfchangs.allclearid.com/.
Between the technical and business response to the compromise, the quality and clarity of the communications and the levels of protections being offered to affected customers, P.F. Chang’s response to the event has been superb and really can be one that others look too for best practices.
Based on that, I can honestly say after this event I would feel comfortable using my credit card at P.F. Chang’s.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.