Woman hacker hands at keyboard showing cyber attack

Largest Chinese Fast Food Chain in the US, Panda Express, Impacted by March Cyber Attack

Panda Express, the largest Chinese fast food chain in the United States, was impacted by the March 2024 cyber attack that affected its parent company’s corporate systems.

With an annual revenue of over $3 billion, Panda Express is the largest Asian fast food restaurant in the United States, operating in 2,200 locations and employing 47,000 people.

The Rosemead, California-based Panda Restaurant Group (PRG) is the parent company of Panda Express, Panda Inn, and Hibachi-San.

According to a data breach notification filed with the Office of the Maine Attorney General, PRG discovered the “external system breach” on March 10 after a threat actor breached its corporate systems and maintained persistence between March 7 and 11, 2024.

Panda Express cyber attack compromised employees’ personal information

Upon detection, the Chinese fast food chain secured its environment, initiated remediation and recovery efforts, and launched an investigation with law enforcement authorities and third-party cybersecurity experts.

“With the support of third-party experts, we then began a thorough review of the data affected to identify the specific information and individuals impacted.”

Panda’s investigation determined that an unauthorized actor, whose identity remains a mystery, accessed certain information from its corporate systems.

The cyber attack leaked sensitive personal information, including victims’ first and last names, driver’s license numbers or non-driver identification card numbers, and other unspecified personal identifiers.

Although the number of impacted victims remained undisclosed, the Panda Express data breach impacted current and former employees. However, the cyber attack did not compromise customer data, disrupt store operations, or degrade customer experience across Panda restaurants.

Currently, Panda has no evidence that the threat actor misused the stolen information, and efforts are underway to contact all impacted individuals.

Panda is also offering 12 months of identity theft protection and credit monitoring services through CyEx Identity Defense Total – 3 Bureau to protect the victims from fraud.

The Asian food retailer also advises victims to stay vigilant for suspicious activity by monitoring their credit reports and bank account statements and reporting any anomalies to their financial institutions and relevant law enforcement agencies.

Impacted victims could also freeze their credit reports to prevent fraudsters from opening new credit lines. Similarly, enabling fraud alerts would force lenders to verify the loan or credit card applicant’s identity before approval.

Meanwhile, the parent company of Panda Inn, Panda Express, and Hibachi-San said it has “implemented additional technical safeguards” to prevent similar incidents in the future.

Motive and perpetrator of cyber attack unknown

The motive behind the Panda Express cyber attack remains unknown. So far, the restaurant chain has not reported receiving any ransom demands, and no hacking group has claimed responsibility for the cyber attack.

“While only Panda Restaurant Group and their security team know the extent today of the recent data breach, any time that personal data is potentially exposed, corporate and customers is at risk of being exposed,” warned Sean Deuby, Principal Technologist at Semperis. “However, due to the company’s activation of their recovery and resiliency response plan when they first learned about the breach, they could return from the incident more quickly than most.”

Cybercriminals frequently target food retailers to access personal and payment information collected during operations.

In January 2023, American food distributor Sysco suffered a data breach that leaked business, employee, and customer data. In the same month, Yum! Brands, the parent company of KFC, Pizza Hut, and Taco Bell, shut down over 300 outlets in the UK after a cyber attack.

In September 2023, Pizza Hut Australia disclosed a data breach that leaked the personal information and limited financial details of 193,000 customers.