P.F. Chang's China Bistro said Tuesday that it is investigating a potential security breach that may have led to the theft of information from thousands of customer credit cards.
The possible theft was first reported by Brian Krebs, a security blogger, who noted thousands of fresh credit cards appeared on Rescator, a so-called carding site that was used to sell payment data after last year's Target network breach. Data from the magnetic strips of the latest stolen cards is selling for between $18 and $140 per card.
Mr. Krebs said representatives from affected banks had purchased several stolen credit cards from carding sites and discovered that many were used recently at P.F. Chang's.
"P.F. Chang's takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more," Anne Deanovic, a spokeswoman for the company, based in Scottsdale, Ariz., said in a written statement. "We will provide an update as soon as we have additional information."
Ms. Deanovic said the company had not yet tied fraudulent activity on customers' credit cards to the possible breach. The Secret Service, which has been conducting an inquiry into recent hacks at Target, Neiman Marcus and others, did not immediately return a request for comment.
P.F. Chang's was acquired by private-equity firm Centerbridge Partners in 2012 for $1.1 billion. It operated 200 Asian restaurant bistros and some 170 Pei Wei Asian Diners at the time of the deal.
Read MoreCardmakers renewpush for microchips
It is the first significant appearance of information from stolen credit cards since March, when data from 282,000 cards was tied to a possible breach at Sally Beauty.
If the breach is confirmed, P.F. Chang's will be the fifth major retail chain — after Target, Neiman Marcus, Michaels and Sally's Beauty — to acknowledge that its systems were recently compromised. In those cases, criminals installed so-called malware on retailers' systems, which fed customers' payment details back to their computer servers.
A report from Bloomberg identified Sears as another company that had been breached, but the company and law enforcement officials have denied the reports.
The tally of customers affected by these recent breaches now exceeds one-third of the American population.
More from the New York Times:
The same group of criminals in Eastern Europe are believed to be behind the hacks, and to be part of a broader cyberattack directed at as many as six other retailers, according to two people investigating the breaches who were not authorized to speak publicly.
The entry point for each breach differed, according to one law enforcement official. At Target, it was believed to be a Pennsylvania company that provided heating, air-conditioning and refrigeration services to the retailer. Criminals were able to use the company's log-in credentials to gain access to Target's systems, and eventually to its point-of-sale systems.
On Tuesday, a joint report by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that retail companies are still unprepared for such attacks.
In a survey of 595 computer-security experts in the United States, the majority — 64 percent — believed their organizations still lack the technology and tools to quickly detect database attacks. Only one-third said they do the kind of continuous database monitoring needed to identify irregular activity in their databases. Another 22 percent admitted that they do not scan at all.
"The best approach to avoid an attack on a retail organization is continuous monitoring, which helps you understand your environment to detect gratuitous or anomalous traffic," said Larry Ponemon, the founder of the Ponemon Institute in an interview Tuesday. "All it takes is one successful attack."