Massachusetts Attorney General v. Briar Group, LLC - Data Breach Settlement - the details
Yesterday news broke (thanks to Jenn Abelson of the Boston Globe) that the Massachusetts Attorney General had come to an agreement with Briar Group, LLC regarding a data breach that dates back to 2009. I wrote on the topic and continued to investigate....
A little research by your author turned up some interesting facts:
One, the complaint was filed by the Attorney General in Suffolk Superior Court the same day as the announced settlement.
Two, the facts alleged in the complaint are a lot more scary than what was relayed in the press release.
Apparently the Attorney General was contacted by the Briar Group on November 25, 2009 and was informed by Briar that they had suffered a data breach. In fact, on November 25, 2009 the breach was STILL ONGOING. It wasn't until December 10, 2009 that the "malcode" was removed, thus ending the known breach.
Some significant highlights of the complaint filed in court:
- The breach involved "over 53,000 MasterCard accounts and over 72,000 VISA accounts."
- Six of Briar's twelves locations were affected (Ned Devine's, The Lenox, The Harp, MJ O'Connor's Back Bay, MJ O'Connor's Waterfront, and The Green Briar).
- The breach was discovered by a payment card processor in EUROPE on October 15, 2009.
- The initial breach occurred at Ned Devine's in Fanueil Hall.
- Briar was informed of the breach on or about October 29, 2009.
- The president of Briar wrote an e-mail on November 5, 2009 stating that he wanted "to do the right thing" but did not want to "pay for an investigation that they could somehow avoid."
- Briar hired Verizon Business Network Services only after being required by VISA to do so.
- Verizon Business Network Services started work on Nov 15, 2009 - and established that the "malcode" was installed on April 24, 2009 and the "malcode" was gathering the "account number, cardholder name, expiration date and secure code"
- Briar continued to accept credit cards the whole time.
- The "malcode" was removed on December 10, 2009.
- Briar had not changed passwords in over 5 years.
- Briar had outsourced its IT work to Bromley Engineering..
- "Peter Bromley... of Bromley Engineering noted in a December 2, 2009 e-mail to Briar that Briar's security "problems came up years ago when I first returned to Briar and saw the blatant lack of  even basic security on the Micros servers." A second e-mail on March 25, 2010: "Probably the most egregious practice had been that all the Micros serves with which I have had contact used the same administrator and password - even at different restaurants."
- The compromised accounts were used in Arizona, California, Nevada, Texas, the United Kingdom, Italy, India and Saudi Arabia.
- More than 125,000 consumers were harmed by Briar's conduct.
Did you visit one of these restaurants between April 24, 2009 and December 10, 2009? Did you pay by credit or debit card? Are you in the "know" or in the "dark"? Have you heard from The Briar Group, LLC? From the Attorney General? If so, I'd like to hear about it, unless you have been sworn to secrecy.
So, we find out yesterday, March 28, 2011, some 25 months after the incident really happened and and some 16 months after the known breach had been contained.
[** A release by the New York Consumer Protection Board called the "Data Breach Report for the period of March 2010" lists that on 3/11/2010 The Green Briar, City Bar Solas, Ned Devine's Paris, The Harp, and MJ O'Connor's reported having suffered a "Hacking" effecting a total of 25 New York residents. So either there's a twin in NYC, or this is Briar]
What breaches are currently ongoing that we won't find out about for 2 more years???
It appears to me that the Attorney General did a thorough and complete job investigating the breach and it's likely that the delay in filing a complaint or going public was due to an ongoing criminal investigation which I hope was successful.
The errors that Briar Group made are easily remedied IF a company takes security seriously. Their computer network setup had nothing in the way of real security, heck, they even had an unprotected WIFI network with access to their main system. Seriously? Unprotected WIFI?
The Attorney General did NOT bring this action under MGL 93H, the "data breach law" now in force. The date of the breach pre-dated the effective date of the law. This is NOT the FIRST enforcement action under 93H / 201CMR17. This IS a serious breach. The details of the complaint show a complete disregard for the security of consumer information. This action was brought under MGL 93A, the consumer protection statute.
If you are a restaurant group or a single proprietor, or a retail business or any business owner or decision maker who hasn't really thought about securing your information, please reconsider.
Although $110,000.00 sounds like a lot of money, the fine could have, and based on what I read, should have been, much higher. The damage to the Briar Group's reputation is an intangible... will I go to their locations, probably... I don't know. How about 5 years from now when no one's watching them anymore? If I do, I'll definitely use cash.
Taking credit cards when you know you have a problem is really disturbing and I hope that $110,000.00 sends enough of a message because it equates to roughly 88 cents per effected person, not exactly a stinging fine now is it?