StorefrontBacktalk

Restaurant Data Breach Probe Filing: Card Data In Plain Text, Default Passwords And Wide Open Wireless Access

Written by Evan Schuman

April 6th, 2011

A Massachusetts restaurant chain, which was just fined $110,000 by that state’s attorney general as a result of a substantial data breach, is a textbook example of how not to handle payment security. Court filings from the case paint a classic picture: unchanged default passwords, wide open wireless access, full card data stored in plain text and an impressive lack of concern about the breach, with restaurants continuing to accept payment cards after the chain knew of the breach and malware that had not yet been deactivated.

The breach at the chain, The Briar Group (The Lenox, MJ O’Connor’s, Ned Devine’s, The Green Briar and The Harp), impacted at least 125,000 MasterCard and Visa customers, the state filing said. Other security naughtiness alleged: using the default usernames and passwords from its Micros POS systems, opting to not change network passwords “for more than five years,” allowing those username/password combos to be “used system-wide for all users” and then not changing passwords after employees quit or were fired.

Briar also “granted all of its employees local administrator access on their assigned desktop computers, thus imposing no limitation on the software that could be installed on corporate equipment,” the state said in a civil complaint.

The situation apparently began on April 24, 2009, when cyberthieves installed code on a Briar’s server to capture full Track 1 and Track 2 data, according to excerpts from a report by Verizon Business Network Services, which was retained to conduct a standard forensic investigation after the chain learned of the breach.

The incident was apparently discovered on Oct. 15, 2009, when an unidentified European processor detected payment card fraud and the common points of purchase pointed back to The Briar Group. On October 20, Visa contacted Briar’s acquirer—Sovereign Bank—which in turn reached out to First Data, which managed transactions for Briar. Briar received official notice of the breach from First Data on Oct. 29, 2009. A couple of weeks later—on November 13—Citigroup notified Briar of more fraudulent activity.

The Verizon probe’s initial report suggested that the malware’s creator was rather brazen, in that there seemed to be little attempt to hide what was being done. For example, one file in plain view on the server was labeled, according to the state filing, “C:\\WINDOWS\system32\memdump on each of Briar’s six compromised Micros 9700 Point of Sale servers.” Added the report: The program “parsed through the memory dumps [looking] for payment card data and saved it in an output file ‘inetinfo.ch’ that contained Tracks 1 and 2 data.”

The code was finally removed from Briar’s systems on Dec. 10, 2009, the filing said.

The state complaint detailed how it thinks the program spread: “The intruder was able to access Briar’s home server and from there was able to access the other restaurant locations and install malcode, because all of the affected locations were constructed on a flat network on a single Windows domain. A flat network is a network in which workstations are directly connected to one another, without intermediary hardware devices. The Micros 9700 POS servers had remote access utilities, including pcAnywhere and Microsoft Remote Desktop, enabled at the system start. The open configuration of these utilities allowed access of the Micros 9700 servers from the Internet.”

Massachusetts, citing the Verizon report, also didn’t care for Briar’s wireless network setup.

“Wireless networks were available at each of the affected locations, but did not have any security enabled on them, such as Wi-Fi Protected Access,” the complaint said. “The wireless and wired networks connected to a firewall, but were not properly segmented, as the Micros POS system was reachable once a user connected to Briar’s wireless network.”

Although the unencrypted payment card data is a horrible security practice, the state filing said it couldn’t prove that any unencrypted data made its way to the cyberthieves. Verizon “discovered 7,130 instances where unencrypted cardholder account numbers and expiration dates, in clear text, were retained,” the filing said.

Posted in In-Store, IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud

Comments are closed.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.