Briar Group restaurant chain to pay $110K for data security breach; must comply with PCIDSS
Jenn Abelson reports:
The Briar Group LLC, which runs Ned Devine’s, the Green Briar, The Lenox, and other popular restaurants, has agreed to pay $110,000 to resolve allegations that the Boston chain failed to take reasonable steps to protect diners’ personal information and put at risk tens of thousands of credit and debit card information.[…]
A press release from the Attorney General’s Office provides the background:
According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar’s computer systems allowed hackers access to customers’ credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009.
Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach.
The judgment, signed on March 28, 2011, by Suffolk Superior Court Judge Giles, requires a payment to the Commonwealth of $110,000 in civil penalties; compliance with Massachusetts data security regulations; compliance with Payment Card Industry Data Security Standards; and the establishment and maintenance of an enhanced computer network security system.
Under the terms of the settlement, all restaurants in the Briar Group Chain must develop a security password management system and implement data security measures to comply with Payment Card Industry Data Security Standards state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.
Although the data breach occurred prior to the effective date of the Massachusetts data security regulations, the data security standards set forth in the regulations were used in the settlement.
I do not see where the breach was ever reported in the media at the time, although it seems to have been reported to states. In April 2010, I noted some reports to the NYS Consumer Protection Board that had been made between January 1 and April 12 of last year. They included entries tagged as “hacking” from Ned Devine’s, Green Briar, City Bar Solas, The Harp, and MJ O’Connor’s, all of which are Briar Group restaurants. Those reports to NYS appear to have been made in March 2010, but since the full breach reports are not available online, we’ll only know what was reported when we obtain the reports under FOI.