More than 130,000 Customers' Credit or Debit Cards Compromised
Entertainment operation Dave & Buster’s, Inc. has agreed to settle Federal Trade Commission charges that the company left consumers’ credit and debit card information vulnerable to hackers, resulting in several hundred thousand dollars in fraudulent charges. Dave & Buster’s operates 53 restaurant and entertainment complexes across the country under the names Dave & Buster’s, Dave & Buster’s Grand Sports Café, and Jillian’s.
Dave & Buster’s will put in place a comprehensive information security program as a condition for settling the case. This is the FTC’s 27th case challenging faulty data security practices by organizations that handle sensitive consumer information.
According to the FTC, Dave & Buster’s collects credit card numbers and expiration dates from customers in order to obtain authorization for payment card purchases. The agency alleges the company failed to take reasonable steps to secure this sensitive personal information on its computer network. Specifically, it failed to:
- Take sufficient measures to detect and prevent unauthorized access to the network.
- Adequately restrict outside access to the network, including access by Dave & Buster’s service providers.
- Monitor and filter outbound data traffic to identify and block the export of sensitive personal information without authorization.
- Use readily available security measures to limit access to its computer networks through wireless access points.
The FTC alleged that, as a result of these failures, a hacker exploited some of those vulnerabilities, installed unauthorized software and accessed about 130,000 credit and debit cards. The banks that issued the cards have claimed several hundred thousand dollars in fraudulent charges.
The settlement requires Dave & Buster’s to establish and maintain a program designed to protect the security, confidentiality, and integrity of personal information collected from customers. It also requires the company to obtain independent, professional audits, every other year for 10 years, to ensure that the security program meets the standards of the settlement. In addition, the proposed settlement contains standard record-keeping provisions to allow the FTC to monitor compliance.
The Commission vote to approve the complaint and proposed consent order was 4-0. An analysis of the proposed consent order will be published in the Federal Register shortly and will be subject to public comment for 30 days, until April 26, 2010, after which the Commission will decide whether to make it final. Interested parties can submit written comments electronically or in paper form by following the instructions in the Invitation To Comment part of the “Supplementary Information” section. Comments in electronic form should be submitted using the following Web link: https://public.commentworks.com/ftc/daveandbusters (and following the instructions on the web-based form). Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-135 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law. The consent agreement is for settlement purposes only and does not constitute admission by the respondent of a law violation.
NOTE: Consent agreements and stipulated final orders are for settlement purposes only and do not constitute an admission by the defendant of a law violation. Stipulated final orders have the force of law when signed by the judge. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.
Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.
(FTC File No. 0823153)
Office of Public Affairs
Bureau of Consumer Protection