Chain confirms it was source of breach affecting conventions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bostonglobe.com/business/2013/12/27/local-restaurant-chain-source-data-breach-that-compromised-card-info-conventioneers/wPhKKndyN4hshrU47J2rwO/story.html

A local restaurant chain confirmed Friday that its computer systems were
breached, putting the credit-card information of thousands of customers at
risk, including visitors who attended two major conventions in Boston.

The Briar Group, which owns 10 restaurants and bars in Boston, including
two at the Westin hotel connected to the Boston Convention & Exhibition
Center, said its computer systems were infiltrated sometime between October
and early November. It said customer names, credit-card numbers, expiration
dates, and security information were captured from the cards’ magnetic
strips.

The company isn’t sure how many customers were affected, but every month
thousands visit Briar’s locations, said Diana C. Pisciotta, a spokeswoman
for the chain.

The American Public Health Association hosted 13,000 conventioneers in
Boston in early November, and the American Society of Human Genetics
brought 8,000 attendees to a conference in October. Both reported that
hundreds of people reported unauthorized charges on their accounts after
visiting Boston.

Seventeen employees of the Massachusetts Convention Center Authority also
reported having their data stolen. As recently as Dec. 18, one worker had
his card fraudulently used to make a purchase of more than $200 at a Toys
‘R’ Us in California, said James E. Rooney, the authority’s executive
director.

The Briar’s properties located in Westin Boston Waterfront Hotel are M.J.
O’Connor’s Restaurant and City Bar. The hotel provides accommodations to
many convention attendees.

Other restaurants in the chain include Ned Devine’s, City Table, Anthem
Kitchen Bar, Green Briar, Solas, Harp, Gather Food and Drink, and Brew
Cafe. Both Solas and City Table are located in the Back Bay’s Lenox Hotel.

Briar’s has installed additional security to its systems since late
November, after it first discovered that it may have been the source of the
data theft, Pisciotta said. Company officials believe they have closed the
entry point that thieves used to access the data.

“We are with 99 percent certainty that those worked,” Pisciotta said.

Boston is scheduled to host the annual meeting of convention planners --
the professionals who advise associations and large groups where to hold
their events -- in less that two weeks.

Identifying where the theft occurred should go a long way in assuring them
and other visitors to Boston that the city is addressing the problem,
Rooney said

“Closure is a necessary step in the process here, in terms of knowing where
this happened,” Rooney said.

But it remains unclear who engineered the theft. The Briar Group believes
that it was a sophisticated, outside attack, Pisciotta said. Boston Police
and the US Secret Service are investigating.

The US Attorney’s Office, which is overseeing the case, declined to comment.

This is the second major breach of the Briar Group’s payment systems. In
2009, malware, or malicious software, was apparently installed on Briar’s
computers, allowing thieves to access credit and debit card information.
The chain paid a $110,000 to the state to settle allegations that it failed
to protect diners’ personal information after that security breach.

Data breaches are becoming increasingly common and complex. Earlier this
month, Target, the giant retailer, acknowledged that 40 million credit and
debit card accounts were stolen from its customers who shopped at its
stores between Thanksgiving weekend and Dec. 15. Nearly one million of
those accounts belonged to customers who made purchases at Target’s three
dozen Massachusetts stores.

The theft compromised the financial data of customers who made purchases by
swiping cards at terminals in Target’s US stores, exposing similar
information as the Briar Group’s breach. In addition, Target on Friday
acknowledged that the thieves also captured encrypted personal
identification numbers, or PINs, that can be used for debit cards.

Briar’s restaurants do not accept PINs, so debit card information and
accounts are not at risk, Pisciotta said.

The company posted an apology to customers on its website with information
on how to contact credit reporting agencies. Briar has not offered affected
customers free credit monitoring services, as other companies frequently do
after data breaches.

Rooney, the convention authority executive director, said this data theft
has heightened awareness about the risks to customer information. The
convention center will hire a contractor to review its security systems,
since it accepts credit cards at its food court and parking facilities.

The authority doesn’t believe its systems have been compromised, Rooney
said.

The authority will host a data security conference this spring for local
businesses, particularly those around Boston’s two convention halls, to
make them aware of potential vulnerabilities and measures to protect
customer information, Rooney said.

“There’s a lot of innocent ignorance about this subject,” he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.