IRVING, TX – The entertainment and restaurant chain Dave and Buster's Holdings Inc. has settled charges that it the failed to adequately secure the credit and debit card information of customers, the Federal Trade Commission said this week.
The company, which has 53 restaurants, was hacked in mid-2007 by an intruder who installed unauthorized software to intercept data sent from the restaurants to credit card processing companies.
A nationwide hacking conspiracy that targeted entertainment chain, Office Max and two other retailers resulted in what federal officials called the "unparalleled" theft of millions of credit card numbers. Banks that covered the money stolen from the cards lost more than $600,000 across the four retail chains. Three men were charged with the crimes in 2008.
On March 24, Alberto Gonzalez, 28, was sentenced in U.S. District Court to two concurrent 20-year stints in federal prison for his part in the scheme. Authorities said Gonzalez was the mastermind behind the hacking conspiracy.
The amusement company operates 53 restaurant and entertainment complexes across the country under the names Dave & Buster's, Dave & Buster's Grand Sports Café and Jillian's.
According to the FTC, Dave & Buster's will put in place a comprehensive information security program as a condition for settling the case. It said the company collects credit card numbers and expiration dates from customers in order to obtain authorization for payment card purchases. The agency charges the company failed to take reasonable steps to secure this sensitive personal information on its computer network.
Commission officials added that Dave & Buster's took inadequate measures to detect and prevent unauthorized access to the network; adequately restrict outside access to the network, including access by service providers; monitor and filter outbound data traffic to identify and block the export of sensitive personal information without authorization; and use readily available security measures to limit access to its computer networks through wireless access points.
The FTC alleged that, as a result of these failures, a hacker exploited some of those vulnerabilities, installed unauthorized software and accessed about 130,000 credit and debit cards. The banks that issued the cards have claimed several hundred thousand dollars in fraudulent charges.
The settlement requires Dave & Buster's to establish and maintain a program designed to protect the security, confidentiality, and integrity of personal information collected from customers. It also requires the company to obtain independent professional audits every other year for 10 years, to ensure that the security program meets the standards of the settlement. In addition, the proposed settlement contains standard recordkeeping provisions to allow the FTC to monitor compliance.
The commission vote to approve the complaint; the proposed consent order was 4-0. An analysis of that consent order has been published in the Federal Register and is subject to public comment for 30 days, or until April 26, 2010, after which the FTC will decide whether to make it final.
The FTC said consent agreements and stipulated final orders are for settlement purposes only and do not constitute an admission by the defendant of a law violation. Stipulated final orders have the force of law when signed by the judge.
Shortly after the hacking conspiracy became public, Dave & Buster's said it had taken extensive steps to improve the security of its customers' credit card data.