Privacy breach case is settled
Restaurant group to pay Mass. $110,000
The Briar Group, which runs Ned Devine’s, the Green Briar, the Lenox, and other popular restaurants, has agreed to pay $110,000 to resolve allegations that the Boston chain failed to take reasonable steps to protect diners’ personal information and put at risk tens of thousands of credit and debit card accounts.
The settlement stems from a lawsuit filed by Massachusetts Attorney General Martha Coakley over a data breach the Briar Group suffered in April 2009. Briar’s failure to implement basic data security measures enabled hackers to access customers’ credit and debit card information, including names and account numbers, according to the lawsuit. The hackers’ malware — malicious software designed to infiltrate computer systems — that caused the security problems was not removed from the company’s computers until December 2009.
The lawsuit filed in Suffolk Superior Court also alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share common usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach.
“The Briar Group is committed to high-quality customer service at all of our restaurants. We take the security of our customer’s credit card information very seriously and therefore respond aggressively to any concerns that are brought to our attention,’’ the restaurant chain said in a statement. “We believe the agreement we have entered into with the attorney general’s office achieves our shared goal of ensuring that our customers can use their credit cards with confidence in the security of their data.’’
But the Briar Group added in its statement that it believes it chain acted immediately once it was informed of the possible breach.
“We took immediate and aggressive action steps, including: informing the major credit card companies of the potential breach, working with the nation’s leading data security company to identify any weaknesses in our data systems and make system upgrades to further secure customer data and cooperating with a federal investigation into this matter,’’ the statement said. “We are confident that customers dining at one of our restaurants can safely use their credit cards.’’
Under the terms of the settlement, the Briar Group must pay the Commonwealth $110,000 in civil penalties; comply with state data security regulations and Payment Card Industry Data Security Standards; and maintain an enhanced computer network security system.
“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected,’’ Coakley said in a statement. “In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward.’’
Jenn Abelson can be reached at firstname.lastname@example.org.