Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Under Settlement with AG Coakley
Penalty Paid In Connection With 2009 Data Breach At Restaurants That Include Ned Devine's, The Green Briar, The Harp, And Others
"When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected," AG Coakley said. "In this instance, the Briar Group did not take proper protections to protect customers' personal information. In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers."
According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar's computer systems allowed hackers access to customers' credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group's computers until December 2009.
Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach.
The judgment, signed on March 28, 2011, by Suffolk Superior Court Judge Giles, requires a payment to the Commonwealth of $110,000 in civil penalties; compliance with Massachusetts data security regulations; compliance with Payment Card Industry Data Security Standards; and the establishment and maintenance of an enhanced computer network security system.
Under the terms of the settlement, all restaurants in the Briar Group Chain must develop a security password management system and implement data security measures to comply with Payment Card Industry Data Security Standards state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.
Although the data breach occurred prior to the effective date of the Massachusetts data security regulations, the data security standards set forth in the regulations were used in the settlement.
This matter was handled by Assistant Attorneys General Scott D. Schafer and Shannon Choy-Seymour of the Consumer Protection Division.