Entertainment operation Dave & Buster’s, Inc. has agreed to settle Federal Trade Commission charges that the company left consumers’ credit and debit card information vulnerable to hackers, resulting in several hundred thousand dollars in fraudulent charges. Dave & Buster’s operates 53 restaurant and entertainment complexes across the country under the names Dave & Buster’s, Dave & Buster’s Grand Sports Café, and Jillian’s.

Dave & Buster’s will put in place a comprehensive information security program as a condition for settling the case. This is the FTC’s 27th case challenging faulty data security practices by organizations that handle sensitive consumer information.

According to the FTC, Dave & Buster’s collects credit card numbers and expiration dates from customers in order to obtain authorization for payment card purchases. The agency alleges the company failed to take reasonable steps to secure this sensitive personal information on its computer network. Specifically, it failed to:

  • Take sufficient measures to detect and prevent unauthorized access to the network.
  • Adequately restrict outside access to the network, including access by Dave & Buster’s service providers.
  • Monitor and filter outbound data traffic to identify and block the export of sensitive personal information without authorization.
  • Use readily available security measures to limit access to its computer networks through wireless access points.

The FTC alleged that, as a result of these failures, a hacker exploited some of those vulnerabilities, installed unauthorized software and accessed about 130,000 credit and debit cards. The banks that issued the cards have claimed several hundred thousand dollars in fraudulent charges.

The settlement requires Dave & Buster’s to establish and maintain a program designed to protect the security, confidentiality, and integrity of personal information collected from customers. It also requires the company to obtain independent, professional audits, every other year for 10 years, to ensure that the security program meets the standards of the settlement. In addition, the proposed settlement contains standard record-keeping provisions to allow the FTC to monitor compliance.

The Commission vote to approve the complaint and proposed consent order was 4-0. An analysis of the proposed consent order will be published in the Federal Register shortly and will be subject to public comment for 30 days, until April 26, 2010, after which the Commission will decide whether to make it final. Interested parties can submit written comments electronically or in paper form by following the instructions in the Invitation To Comment part of the “Supplementary Information” section. Comments in electronic form should be submitted using the following Web link: https://public.commentworks.com/ftc/daveandbusters (and following the instructions on the web-based form). Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-135 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.


Next Article: Intrum Justitia Releases Notes from Annual General ...

Advertisement