Chain confirms it was source of breach affecting conventions by Deirdre Fernandes

07/08/2014 06:58

A local restaurant chain confirmed Friday that its computer systems were breached, putting the credit-card information of thousands of customers at risk, including visitors who attended two major conventions in Boston.

The Briar Group, which owns 10 restaurants and bars in Boston, including two at the Westin hotel connected to the Boston Convention & Exhibition Center, said its computer systems were infiltrated sometime between October and early November. It said customer names, credit-card numbers, expiration dates, and security information were captured from the cards’ magnetic strips. 

The company isn’t sure how many customers were affected, but every month thousands visit Briar’s locations, said Diana C. Pisciotta, a spokeswoman for the chain.

Seventeen employees of the Massachusetts Convention Center Authority also reported having their data stolen. As recently as Dec. 18, one worker had his card fraudulently used to make a purchase of more than $200 at a Toys ‘R’ Us in California, said James E. Rooney, the authority’s executive director.The American Public Health Association hosted 13,000 conventioneers in Boston in early November, and the American Society of Human Genetics brought 8,000 attendees to a conference in October. Both reported that hundreds of people reported unauthorized charges on their accounts after visiting Boston.

The Briar’s properties located in Westin Boston Waterfront Hotel are M.J. O’Connor’s Restaurant and City Bar. The hotel provides accommodations to many convention attendees.

Other restaurants in the chain include Ned Devine’s, City Table, Anthem Kitchen Bar, Green Briar, Solas, Harp, Gather Food and Drink, and Brew Cafe. Both Solas and City Table are located in the Back Bay’s Lenox Hotel.

Briar’s has installed additional security to its systems since late November, after it first discovered that it may have been the source of the data theft, Pisciotta said. Company officials believe they have closed the entry point that thieves used to access the data.

“We are with 99 percent certainty that those worked,” Pisciotta said.

Boston is scheduled to host the annual meeting of convention planners -- the professionals who advise associations and large groups where to hold their events -- in less that two weeks.

Identifying where the theft occurred should go a long way in assuring them and other visitors to Boston that the city is addressing the problem, Rooney said

“Closure is a necessary step in the process here, in terms of knowing where this happened,” Rooney said.

But it remains unclear who engineered the theft. The Briar Group believes that it was a sophisticated, outside attack, Pisciotta said. Boston Police and the US Secret Service are investigating.

The US Attorney’s Office, which is overseeing the case, declined to comment.

This is the second major breach of the Briar Group’s payment systems. In 2009, malware, or malicious software, was apparently installed on Briar’s computers, allowing thieves to access credit and debit card information. The chain paid a $110,000 to the state to settle allegations that it failed to protect diners’ personal information after that security breach.

Data breaches are becoming increasingly common and complex. Earlier this month, Target,the giant retailer, acknowledged that 40 million credit and debit card accounts were stolen from its customers who shopped at its stores between Thanksgiving weekend and Dec. 15. Nearly one million of those accounts belonged to customers who made purchases at Target’s three dozen Massachusetts stores.

The theft compromised the financial data of customers who made purchases by swiping cards at terminals in Target’s US stores, exposing similar information as the Briar Group’s breach. In addition, Target on Friday acknowledged that the thieves also captured encrypted personal identification numbers, or PINs, that can be used for debit cards.

Briar’s restaurants do not accept PINs, so debit card information and accounts are not at risk, Pisciotta said.

The company posted an apology to customers on its website with information on how to contact credit reporting agencies. Briar has not offered affected customers free credit monitoring services, as other companies frequently do after data breaches.

Rooney, the convention authority executive director, said this data theft has heightened awareness about the risks to customer information. The convention center will hire a contractor to review its security systems, since it accepts credit cards at its food court and parking facilities.

The authority doesn’t believe its systems have been compromised, Rooney said.

The authority will host a data security conference this spring for local businesses, particularly those around Boston’s two convention halls, to make them aware of potential vulnerabilities and measures to protect customer information, Rooney said.

“There’s a lot of innocent ignorance about this subject,” he said.

Deirdre Fernandes can be reached at Follow her on Twitter@fernandesglobe.