Kitchen Confidential: Massachusetts Case Lays Bare Unsanitary Data Security Practices
By Paul F. Roberts, Editor, Threatpost.com
I worked in my share of kitchens when I was younger. I washed dishes, made salads and worked the grill as a short-order cook. And let me say this: one rule you learn when you work in the kitchen is - to borrow a phrase from the folks in Las Vegas - “What happens in the kitchen stays in the kitchen.” That includes the mouse turds in the pantry, the creative application of wilted vegetables, your colleagues’ suspect personal hygiene and the waitresses' liberal application of the five-second rule.
Now, it turns out, sloppy practices in the kitchen aren't limited to food preparation. A consent agreement released by the Massachusetts Attorney General in March provides ample evidence that it extends to data security practices as well.
The settlement, in the case of Commonwealth of Massachusetts vs. Briar Group LLC, was filed on March 28. The state had sued the company, which operates a string of bars and restaurants in the Boston area, after it was revealed that credit card information for more than 100,000 patrons had been stolen off the company's network. A complaint in that case was also released.
The case was the first to issue fines for a violation of Massachusetts’ toughest-in-the-nation data privacy law, Massachusetts' 201 CMR 17, and laid bare the kinds of lax data security practices that can lead to a breach. Briar is charged with exposing data on more than 53,000 MasterCard accounts and 72,000 Visa accounts, according to information published by the blog Massdataprivacylaw.
Among other things, Briar is accused of failing to check the "sell by" dates; it didn't change default user names and passwords for its Micros Point of Sale system, and neglected to change passwords to access its computer network for more than five years.
On the hygiene issue, the company allowed employees to share user names and passwords on its systems, and neglected to remove the accounts of employees - or even change their account passwords - after they resigned or were terminated. The company had few controls over which employees had administrative access to the company's computer network and failed to properly secure its remote access utilities and wireless network, the consent agreement states.
Even worse for Briar's patrons, the credit and debit card data used to pay for meals and drinks was stored in clear text on its servers, in clear violation of the State's data privacy law, as well as Payment Card Industry (PCI) standards. Briar also kept taking credit card data for almost a month after it learned that malicious code on its network was siphoning off the data, but before it had removed the malware infection. Fraudulent purchases linked to the breach have been recorded in a handful of U.S. states and as far away as India and Saudi Arabia, Massdataprivacylaw.com reported. In a statement, Briar offered a spirited defense of its practices, saying that the security of its customers' credit card information was a top priority for the company and that it "believes that it acted immediately and aggressively once it was informed of the possible breach." Whatever the case, the list of infractions provided by the Attorney General is dispiriting and indicative of what one compliance expert says is a culture of loose data security that's rife in industries like food services and retail.
"These are industries where you have an abundance of legacy equipment like point-of-sale terminals that's just been sitting there and hasn't been attended to," said Cynthia LaRose of the law firm Mintz Levin in Boston.
Issues like using strong passwords and protecting sensitive data like credit card account numbers at rest is "Security 101," LaRose said. The bigger lesson for businesses out of the case against Briar is that businesses need to develop the capability to detect and respond to attacks.
"We're seeing this in rulings from the FTC, also," she said. "There's an evolving standard that says 'you need to establish the means for monitoring your networks and detecting breaches.’"
Businesses that might be inclined to follow the data security equivalent of the "five second rule," also shouldn't take solace from the relatively low amount of the penalty assessed to Briar Group - just $110,000 for the loss of what's estimated to be financial information on 125,000 consumers - less than $1 per record.
LaRose thinks that the Attorney General may well have considered mitigating factors in the case, including Briar's ultimate decision to report the breach itself. But other firms may not be as lucky.
"I think this award is on the low side," LaRose said. "Companies absolutely should not look at this on a per record basis. They should look at it and say 'OK, you've got a $110,000 fine up front and a lot of compliance that needs to happen quickly.'"
That includes compliance with the PCI DSS - a stipulation of the AG's settlement with Briar.While the Attorney General could have pursued a case against Briar under the State's data breach law, known as MGL (Massachusetts General Laws) 93A, the 201 CMR 17 provided the real framework for the settlement. And, with the one-year anniversary of that law just passed, LaRose anticipates more cases from the Attorney General enforcing its terms.
Paul Roberts is an editor at Threatpost.com. Paul brings close to a decade of experience as a technology security reporter and analyst. Before joining Threatpost, Paul was a senior analyst covering enterprise security for The 451 Group, an industry analyst firm. As a reporter and editor, he has written for leading technology publications including InfoWorld, eWeek, IDG News Service, and TechTarget. Paul focuses on breaking security and enterprise-focused technology news and analysis. His writing has appeared in the Boston Globe, Salon.com and Fortune Small Business. Paul has also appeared as a guest on The Oprah Winfrey Show and been interviewed on subjects related to computer security for television, radio and web-based media.