Restaurant Data Breach Probe Filing: Card Data In Plain Text, Default Passwords And Wide Open Wireless Access

Written by Evan Schuman
April 6th, 2011

A Massachusetts restaurant chain, which was just fined $110,000 by that state’s attorney general as a result of a substantial data breach, is a textbook example of how not to handle payment security. Court filings from the case paint a classic picture: unchanged default passwords, wide open wireless access, full card data stored in plain text and an impressive lack of concern about the breach, with restaurants continuing to accept payment cards after the chain knew of the breach and malware that had not yet been deactivated.

The breach at the chain, The Briar Group (The Lenox, MJ O’Connor’s, Ned Devine’s, The Green Briar and The Harp), impacted at least 125,000 MasterCard and Visa customers, the state filing said. Other security naughtiness alleged: using the default usernames and passwords from its Micros POS systems, opting to not change network passwords “for more than five years,” allowing those username/password combos to be “used system-wide for all users” and then not changing passwords after employees quit or were fired.

Briar also “granted all of its employees local administrator access on their assigned desktop computers, thus imposing no limitation on the software that could be installed on corporate equipment,” the state said in a civil complaint.

The situation apparently began on April 24, 2009, when cyberthieves installed code on a Briar’s server to capture full Track 1 and Track 2 data, according to excerpts from a report by Verizon Business Network Services, which was retained to conduct a standard forensic investigation after the chain learned of the breach.

The incident was apparently discovered on Oct. 15, 2009, when an unidentified European processor detected payment card fraud and the common points of purchase pointed back to The Briar Group. On October 20, Visa contacted Briar’s acquirer—Sovereign Bank—which in turn reached out to First Data, which managed transactions for Briar. Briar received official notice of the breach from First Data on Oct. 29, 2009. A couple of weeks later—on November 13—Citigroup notified Briar of more fraudulent activity.

The Verizon probe’s initial report suggested that the malware’s creator was rather brazen, in that there seemed to be little attempt to hide what was being done. For example, one file in plain view on the server was labeled, according to the state filing, “C:\\WINDOWS\system32\memdump on each of Briar’s six compromised Micros 9700 Point of Sale servers.” Added the report: The program “parsed through the memory dumps [looking] for payment card data and saved it in an output file ‘’ that contained Tracks 1 and 2 data.”

The code was finally removed from Briar’s systems on Dec. 10, 2009, the filing said.

The state complaint detailed how it thinks the program spread: “The intruder was able to access Briar’s home server and from there was able to access the other restaurant locations and install malcode, because all of the affected locations were constructed on a flat network on a single Windows domain. A flat network is a network in which workstations are directly connected to one another, without intermediary hardware devices. The Micros 9700 POS servers had remote access utilities, including pcAnywhere and Microsoft Remote Desktop, enabled at the system start. The open configuration of these utilities allowed access of the Micros 9700 servers from the Internet.”

Massachusetts, citing the Verizon report, also didn’t care for Briar’s wireless network setup.

“Wireless networks were available at each of the affected locations, but did not have any security enabled on them, such as Wi-Fi Protected Access,” the complaint said. “The wireless and wired networks connected to a firewall, but were not properly segmented, as the Micros POS system was reachable once a user connected to Briar’s wireless network.”

Although the unencrypted payment card data is a horrible security practice, the state filing said it couldn’t prove that any unencrypted data made its way to the cyberthieves. Verizon “discovered 7,130 instances where unencrypted cardholder account numbers and expiration dates, in clear text, were retained,” the filing said.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.