Restaurant chain to pay $110,000 to settle breach claims

Mass. AG says 2009 breach exposing credit, debit card data of The Briar Group customers was caused by negligence

The Briar Group, which operates several restaurants in the Boston area, has agreed to pay $110,000 to settle allegations by the Massachusetts Attorney General's office that it failed to take reasonable steps to protect credit card data belonging to tens of thousands of customers.

Under terms of the settlement, announced Monday, the Briar Group also agreed to implement a strong password management system at each of its restaurants and to comply with the Payment Card Industry Data Security Standard.

The settlement relates to an incident that began in April 2009 when intruders broke into a Briar Group computer and installed malware designed to steal credit and debit card data. According to a lawsuit filed in Suffolk Superior Court by Attorney General Martha Coakley, the malicious software wasn't removed in Dec. 2009.

During the intervening months, the company continued to accept credit and debit card payments even after it learned of the breach, the attorney general's office contended.

Coakley's office alleged that the compromise stemmed from The Briar Group's failure to take adequate steps to protect card holder data.

The state office noted that The Briar Group used default usernames and passwords on its point-of-sale systems and allowed multiple employees to use common usernames and passwords.

The complaint also alleged that The Briar Group failed to properly secure its wireless network and remote access to its systems.

The action against The Briar Group is one of the first to be announced since a tough Massachusetts data protection law went into effect last March.

The law download PDF, which is regarded by experts as one of the strictest in the nation, requires all entities doing business in Massachusetts to implement specific controls for protecting customer data.

The law requires that companies encrypt all sensitive personal information of Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media like memory sticks and DVDs.

The rule also mandates encryption for personal information transmitted over a wireless or public network.

In addition, companies are required to limit the amount of personal data they collect and need to ensure that they have adequate controls for protecting access to it.

The security requirements the company must implement under the settlement are based on the state's data protection rules, Coakley's office said.

In a statement emailed to Computerworld, The Briar Group said it "firmly" disagrees with some assertions made by the AG's office. "In particular, The Briar Group believes that it acted immediately and aggressively once it was informed of the possible breach," the statement said.

The company contends that it took "immediate and aggressive action" once the breach was discovered. The company said it informed credit card companies about the breach, worked with a security company to identify system vulnerabilities, upgraded its security systems and cooperated with a federal investigation into the matter.

"In addition, we proactively reported the issue to the Attorney Generals office, informing them of both the potential breach and the action steps we were taking to address it," the company said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2011 IDG Communications, Inc.

Where does this document go — OneDrive for Business or SharePoint?
Shop Tech Products at Amazon