Analyzing P.F. Chang’s Crisis Management for Data Breach

Jonathan Bernstein computer security, crisis communications, crisis management, Crisis Prevention, crisis public relations, Crisis Response, cyber security, cyber threats, Cyberheist, data breach, Erik Bernstein, Jonathan Bernstein, public relations, reputation management 2 Comments

Was the popular chain’s crisis management a four-star effort?

The data breach at P.F. Chang’s came to light in mid-June of this year, with the organization claiming to have learned of the situation June 10. Crisis management started out in troubled waters when a massive number of news organizations and websites managed to share the story, first reported by Krebs on Security, before P.F. Chang’s itself was able to get out a statement.

When a statement did come out, it was two full days after allegedly first learning of the attack from the U.S. Secret Service, giving stakeholders plenty of time to stew.

“On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.

At P.F. Chang’s, the safety and security of our guests’ payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.

We have also established a dedicated public website,, for guests to receive updates and answers to their questions.

Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company.

We sincerely regret the inconvenience and concern this may cause for our guests.”

Altogether not a bad statement, but we would have insisted that the expression of compassion come first. The entire goal of expressing your compassion is to put the audience in a more receptive frame of mind, an advantage that is thrown away by making it the last line in the statement.

In an interesting move, P.F. Chang’s brought out its cache of “knuckle-buster” credit card imprinters in order to safely conduct credit and debit car transactions while its systems were resecured, a move we haven’t seen from a breached retailer yet.

Although reporting has slowed significantly on this case, accusations that his breach goes back to September, 2013 have surfaced, sparking at least one class-action lawsuit. If they can be substantiated, P.F. Chang’s better be ready to go for Round 2 of crisis management!

The BCM Blogging Team

Comments 2

  1. Phil Cox

    While not of the immediate crisis, we, as P.F. Chang customers, have sensed that a Chinese Wall (pardon the pun) has been erected between management and staff, leading to rueful remarks by staff that they are the last to know. Let’s hope that gets repaired.

Leave a Reply