In a press release yesterday, the Massachusetts Attorney General's office anounced a settlement with the Briar Group LLC restaurants for a 2009 data breach where the company failed to take reasonable steps to protect customers debit and credit card information:
"According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar’s computer systems allowed hackers access to customers’ credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009. Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach."
The Briar Group LLC ownes and operates several popular restaurants including Ned Devine's, the Green Briar, and The Harp, and Solas. The judgment, signed on March 28, 2011, requires the company to pay $110k in civiil penalties to the Commonwealth, and to comply with both Massachusetts data security regulations and Payment Card Industry Data Security Standards (PCIDSS). All restaurants in the company must also develop a security password management system and implement data security measures to comply with PCIDSS standards, including a Written Information Security Program (PDF document).
Consumers need to know that retailers adequately protect their banking information as required by law. Congratulations to the Massachusetts Attorney General's Office.