The Briar Group LLC, which runs Ned Devine's, the Green Briar, The Lenox, and other popular restaurants, has agreed to pay $110,000 to resolve allegations that the Boston chain failed to take reasonable steps to protect diners' personal information and put at risk the information on tens of thousands of credit and debit cards.
The settlement stems from a lawsuit filed by Massachusetts Attorney General Martha Coakley over a data breach the Briar Group suffered in April 2009. Malcode was apparently installed on the company's computer systems that allowed hackers to access to customers’ credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009.
The lawsuit filed in Suffolk Superior Court also alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share common usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach.
"The Briar Group is committed to high quality customer service at all of our restaurants. We take the security of our customer’s credit card information very seriously and therefore respond aggressively to any concerns that are brought to our attention," the restaurant chain said in a statement. "We believe the agreement we have entered into with the Attorney General’s office today achieves our shared goal of ensuring that our customers can use their credit cards with confidence in the security of their data."
But the Briar Group added in its statement that it believes that the restaurant chain acted immediately and aggressively once it was informed of the possible breach.
"We took immediate and aggressive action steps, including: informing the major credit card companies of the potential breach, working with the nation’s leading data security company to identify any weaknesses in our data systems and make system upgrades to further secure customer data and cooperating with a federal investigation into this matter," the statement said. "We are confident that customers dining at one of our restaurants can safely use their credit cards."
Under the terms of the settlement, the Briar Group must pay the Commonwealth $110,000 in civil penalties; compliance with Massachusetts data security regulations; compliance with Payment Card Industry Data Security Standards; and the establishment and maintenance of an enhanced computer network security system. Under the terms of the settlement, all restaurants in the Briar Group Chain must develop a security password management system and implement data security measures to comply with Payment Card Industry Data Security Standards state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.
“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected,” Coakley said in a statement. “In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward.”