Panda Restaurants discloses data breach after corporate systems hack

  • May 1, 2024
  •  
  • 01:35 PM
  •  
  • 1

Panda Express

Image: Coolcaesar (CC BY-SA 4.0)

Panda Restaurant Group, the parent company of Panda Express, Panda Inn, and Hibachi-San, disclosed a data breach after attackers compromised its corporate systems in March and stole the personal information of an undisclosed number of associates.

Panda Express is the largest Chinese fast food chain in the United States, with over $3 billion in sales and 47,000 associates working in 2,300 branches.

The company discovered a data security breach on March 10, 2024, which affected some of its corporate systems but left in-store systems, operations, and guest experience unaffected.

"The incident only impacted current and former associate data. No guest data was involved in this incident," a company spokesperson told BleepingComputer.

As soon as it detected the incident, Panda secured its environment, activated remediation and recovery efforts, and initiated a thorough investigation in collaboration with third-party cybersecurity experts and law enforcement agencies to establish the nature and extent of the breach.

"After a thorough investigation, we determined that certain information maintained on our corporate systems was accessed by the unauthorized actor between March 7-11, 2024," Panda said in notification letters sent to affected individuals.

"With the support of third-party experts, we then began a thorough review of the data affected to identify the specific information and individuals impacted. On April 15, we concluded our review of impacted data and determined that your personal information was involved."

Unknown number of affected people

According to information filed with the Office of the Maine Attorney General, information exposed in the attack includes affected peoples' names or other personal identifiers and their driver's license numbers or non-driver identification card numbers.

Panda has yet to disclose the total number of individuals whose personal information was accessed or stolen in the incident.

"We continue to work with law enforcement who are conducting an active investigation into the unauthorized actor responsible for this incident," the company added.

"Panda also implemented additional technical safeguards to further enhance the security of information in our possession and to help prevent similar events from happening in the future."

A Panda Restaurant Group spokesperson has yet to reply to a request for additional details regarding the incident, including the total number of affected people and if the attackers have made any ransom demands.

Update May 01, 15:25 EDT: Added statement from Panda spokesperson.