Boston Market among hacking ring victims

BOSTON Boston Market and Dave & Buster’s are among nine retailers that fell victim to a global identity theft ring in which more than 40 million consumer credit card numbers were stolen, according to a Justice Department announcement last week.

While Dave & Buster’s publicly revealed earlier this year that its computer system had been hacked, the Justice Department’s statement [2] appears to be the first indication that Boston Market was also involved. A spokeswoman for the fast-casual chain said Tuesday said that the company had been alerted to a possible data breach in 2004, when one restaurant in South Florida was hacked.

After being notified by authorities, Boston Market shut down all wireless data activity in the store and hired a third party to review the company's computer systems, said spokeswoman Angela Proctor. She said Boston Market was now confident in its data security.

“None of the credit card information that is swiped is ever stored in our computer terminals or our servers,” said spokeswoman Angela Proctor. “We take our customers’ security very seriously, and we are always looking at our systems and making updates.”

Athree-year investigation by the Justice Department into the identity theft ring led a federal grand jury in Boston to indict 11 people last week, including three from the United States. The others were from Belarus, China, Estonia and Ukraine, along with an anonymous individual of unknown origin. U.S. attorney general Michael B. Mukasey said the identity theft case is believed to be “the single largest and most complex” ever charged in the nation.

The other companies also allegedly breached included TJ Maxx parent TJX Cos., BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21 and DSW, the Justice Department said. The suspects in the case obtained the credit and debit card numbers by hacking into the retailers’ wireless networks and installing “sniffer” programs to capture card numbers and account information and passwords, it added.

Hacking incidents have increased even as foodservice companies have applied the controversial Payment Card Industry Data Security Standards, or PCI DSS, which took effect in September 2006. The standards currently are undergoing a revision.

Dave & Buster’s revealed earlier this year that it was alerted to the hacking of its restaurant credit card system in 2007 and that it immediately contacted the U.S. Secret Service. While Dave & Buster’s aided the government investigations, the company said, it also retained outside security experts who identified the source of the misused data. The company said it has implemented additional security measures to prevent similar incidents.

The 11 Dave & Buster’s that were compromised included two units in Dallas and branches in Westminster, Colo.; Islandia, N.Y.; West Nyack, N.Y.; Utica, Mich.; Chicago; Columbus, Ohio; Jacksonville, Fla.; Austin, Texas; and Frisco, Texas.

Neither Dave & Buster’s nor the government indicated the full extent of losses from the data breach. The Justice Department said that from one restaurant alone a “packet sniffer” code was used to capture data taken from about 5,000 credit cards, which then was sold to others who made purchases on the accounts. The theft from that individual restaurant eventually caused losses of at least $600,000 to issuing financial institutions, authorities indicated.

Dave & Buster’s said it does not store credit or debit card numbers or customer names.