Out of sight, but not out of court
I’ve been busy recently, backfilling DataLossDB.org. I’m currently working on 2007 (because who wants to tackle 2008 until we have to, right?).
In the process, I’ve been reminded of some breaches that most of us probably never paid much attention to or followed up on. As a case in point, consider this entry in my archive from October 2007:
For many diners at the Cotton Patch restaurant on North Street, the meal was only the first taste of a months-long investigation of credit card theft, mail fraud and stolen identity.
But after finding that 140 victims of stolen credit card numbers had all dined at Cotton Patch during the summer, The U.S. Postal Inspection Service will close its investigation of the case because of a lack of new leads.
Source – Daily Sentinel
Being a curious soul, I started searching to determine if there was ever any follow-up that I had missed in the media.
It turns out that there was a follow-up, but it was in the courts, not the media. And according to a lawsuit filed by Cotton Patch Cafe against Micros Systems, the breach was due to the point of sale (POS) system provided by Micros Systems not being as secure as it had been advertised. For its part, Micros Systems denies all of Cotton Patch’s allegations or responds that it does not have sufficiently detailed allegations from Cotton Patch to respond to. Many of the court filings are under seal so I have not been able to access them.
The complaint does not specify the total number of customers whose cards were compromised, but it indicates that the restaurant’s losses were over $100,000. The restaurant notes that although they subsequently determined that their system was first compromised in 2006, the rash of fraudulent charges in 2007 was due to activity in May and June. On August 23 of that year, they allege, RBS Lynk notified them that Visa’s and MasterCard’s fraud departments had identified Cotton Patch as the point of common purchase in a number of cases where card numbers had been compromised.
Did Cotton Patch send notifications to their customers after they were informed or subsequent to any forensic evaluation? I hope so, but I find no media coverage on that point. I emailed counsel for Cotton Patch yesterday with a number of questions about the breach and case, but have received no response as yet.
But one of the things I really wondered about was how many of the POS breaches we saw in the restaurant/hospitality sector in 2008 might have been avoided had those who were breached in 2007 sounded the alarm publicly and loudly. Transparency about breaches is not just a good public posture or good for customer trust and loyalty. It can also be altruistic. If Cotton Patch did not disclose their findings about their breach publicly, then I hope that they shared them with other restauranteurs through other means and thereby alerted others to avoid the problems they experienced. But did they? I hope their lawyer provides some additional details on this case.