In 2004, when the hacking occurred, Boston Market was notified of a potential data breach at a Florida location, located near other retailers that were suspected to have been targets. “We immediately hired a third party forensics team to look through our entire network as well as the computer system in that restaurant,” says Boston Market spokeswoman Angela Proctor. “And we immediately shut down any wireless in that restaurant.”
Authorities believe that the hackers used a tactic called “wardriving” where they cruised retail areas trying to pick up wireless networks then accessed credit card information using “sniffer” programs that captured card numbers, passwords, and account information.
According to the indictment, the conspirators then concealed the data in encrypted computer servers that they controlled in Eastern Europe and the U.S. They allegedly sold some of the credit and debit card numbers via the Internet and used blank cards they’d created to withdraw tens of thousands of dollars at a time from ATMs.
"This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results,” says U.S. Attorney for Massachusetts Michael J. Sullivan. “Consumers, companies, and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain."
Proctor echoes Sullivan’s emphasis on security and says Boston Market has not seen payments by credit or debit card decline at its stores. “We are very dedicated to security systems,” she says. “We are PCI compliant. None of the credit card information is stored in our restaurant terminal.”
The perpetrators operated an international hacking ring, requiring international cooperation to lead to their indictment. According to the Department of Justice, three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from China, and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.
The other retailers named by the Department of Justice were: TJ Maxx, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21, and DSW.