Chain fusion bistro P.F. Chang’s confirmed last week that its payment system had been breached, and the company’s official statement is that they’re investigating when and how the breach started. Unofficially, we may have an answer to the first half of that question: the breach may have started in September of 2013.

The ever-vigilant Krebs on Security has learned from bank sources that cards listed in a recent fraud alert sent from Visa to banks were most likely part of the P.F. Chang’s breach. That’s because the same card numbers are in a batch purchased from a site on the dark side of the Internet that has only been selling payment information obtained in the P.F. Chang’s breach. These numbers had been swiped as far back as September 18, which is possibly the day that the breach started.

In the meantime, P.F. Chang’s is kicking it old-school and using older, carbon-copy credit card machines that take an imprint of diners’ cards instead of using an electronic payments system. Using data that the company has made public in its earnings reports, Krebs estimates that as many as 7 million separate cards could be part of this breach.

How many more massive breaches will happen before Visa and MasterCard implement chip-and-PIN technology in 2015?

P.F. Chang’s Breach Likely Began in Sept. 2013 [Krebs on Security]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.