According to a lawsuit filed by Massachusetts Attorney General Martha Coakley, the Briar Group failed to remove malware that was installed on its computer system, allowing hackers to access customers’ credit card and debit card information, for eight months. The malware was installed in April 2009 and not removed until December 2009, according to the lawsuit.
In addition, the company failed to change default user names and passwords on its point-of-sale computer system, allowed multiple employees to share common user names and passwords, failed to properly secure its remote access utilities and wireless network, and continued to accept credit and debit cards from consumers after it knew of the data breach, the lawsuit alleged.
The Briar Group disputed the allegation that it continued to accept credit and debit cards after it knew of the breach. “We took immediate and aggressive action steps, including informing the major credit card companies of the potential breach, working with the nation’s leading data security company to identify any weaknesses in our data systems and making system upgrades to further secure customer data and cooperating with a federal investigation into this matter’’, according to a company statement quoted in the Boston Globe.
The company settled the lawsuit by agreeing to pay the fine, as well as develop a security password management system and implement data security measures to comply with PCI Data Security Standards, including implementation, maintenance, and adherence to a written information security program.
“The Briar Group did not take proper protections to protect customers’ personal information. In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward”, Coakley said.
The attorney general noted that, although the data breach occurred prior to the effective date of the state’s new data security law, the data security standards in the regulations were used in the settlement.