DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Margarita’s Mexican Restaurant breach raises issues of law enforcement’s role in notifying the public (updated)

Posted on July 23, 2011 by Dissent

Brandon Scott reports that authorities have now named the source of a rash of card fraud reports in Huntsville, Texas. But what may be most significant about the news report is its focus on how law enforcement decided whether to – or when – reveal the point of compromise:

… Huntsville Police Department, Walker County Sheriff’s Office, University Police Department and the U. S. Secret Service worked together to determine the source of the thefts of debit and credit card numbers by virus-infected computers at Margarita’s Mexican Restaurant.

Margarita’s was hit by a type of “skimming,” in which credit card numbers are stolen before they can be encrypted by the restaurant’s point of sale system.

Skimming debit and credit cards numbers can occur many ways, remotely by computer hacking or on-site by a device placed on a computer, authorities said.

Residents began alerting the police to the problem almost three weeks ago, and a large jump in reported cases occurred about two weeks ago. Victims are still bringing cases to authorities as they find evidence in their bank and credit card statements.

At some point in the investigation, authorities knew most of the cases were connected to computers at Margarita’s, but they said they were reluctant to release the business’s name to the public for fear of retribution against the restaurant.

“We had determined it was Margarita’s, but it wasn’t necessarily something they had done,” said Huntsville Police Department Lt. Curt Landrum. “This was not one of their employees or a situation where someone who was directly affiliated with Margarita’s was selling information. We were seeing they had done the things they should do to prevent this. We were afraid that it would hurt their business.”

Once it became clear that the credit card numbers had been sold by thieves in a batches on an underground market but not yet used by thieves, investigators decided the threat to the public took precedence over the threat to Margarita’s.

Read more on the Huntsville Item.

Should law enforcement be withholding information like point of compromise  for fear of hurting a business? Law enforcement may take the position that it’s not their place to notify the public and that it’s on the entity to disclose the information, but there’s something that doesn’t sit right about this approach.  Doesn’t law enforcement work for us and not for the business?  I wouldn’t mind if they tell an entity, “Look, we’ll give you today to get a press release or notice out to the media or on your web site or store door, but after that, we will disclose if you haven’t.”  But that doesn’t seem to be what happened here.  In this case,  law enforcement decided that the risk to consumers outweighed other concerns.  But if it hadn’t….. then what?

The banks cancel cards and don’t tell us where a breach occurred – often because they’re not told, either.

Law enforcement may not tell us where a breach occurred.

Breached entities may not tell us when they’ve been breached.

This is really unacceptable.

And no, there’s no notice on Margarita’s web site about the breach as of the time of this posting.

Update of July 24:  The Huntsville Item has an editorial and apology on its site for its decision not to report the name of the business sooner.

They – and local law enforcement there, it seems – still don’t seem to get that even if a business is a victim of a cybercrime, ultimately, it is the consumers who are victims and first and foremost, they must be informed so that they can protect themselves. They must also be informed so they can make informed choices about with whom to do business.

Maybe if so many security firms stopped sounding empirically unsupported dire warnings about churn and loss of business, breached entities would feel less fear about disclosing breaches.  But even if they do experience fear or some short-term loss of business, if they failed to protect consumer information, they need to step up to the plate and get the word out.   They might be pleasantly surprised to find that many customers will understand and will actually commiserate with them.

Local businesses are vital to our communities.  But protecting their reputation and business at the expense of the public turns law enforcement into a public relations arm of the business instead of having them remaining public servants.   Withholding disclosure until a point of compromise is confirmed seems reasonable.  But after that, disclose, disclose, disclose!

Update 2: Law enforcement officials seem to be suggesting that the hack was not of Margarita’s but of their payment processor or acquirer. If that was the case, then the payment processor or acquirer needs to be named and I would guess that card issuers would have already figured out who that is. Even if the breach was at a payment processor’s or acquirer’s, though, Margarita’s customers should be informed that if they used their card there, they were/are at risk.

Category: Breach IncidentsBusiness SectorCommentaries and AnalysesHackID TheftOf NoteU.S.

Post navigation

← SwichSmoke’s attack on Venezuela Government
V0iD Issues a warning to all Runescape users →

2 thoughts on “Margarita’s Mexican Restaurant breach raises issues of law enforcement’s role in notifying the public (updated)”

  1. Adam says:
    July 23, 2011 at 11:04 pm

    Law enforcement doesn’t withhold the streets on which muggings, rapes or murders occur. Nor do they withhold the names of arrested suspects, on the grounds that they might be innocent.

    We as a society need to deal with the question of retribution against businesses. Police can and should state what they know, and even their opinions. In a free society, they should not withhold information.

    1. admin says:
      July 24, 2011 at 7:39 am

      Agreed.

      And I need to go back and check, but my impression is that under Rep. Mary Bono Mack’s proposed breach notification law, the restaurant wouldn’t even have to notify individuals if only the card number (but no name) was captured. So we’d continue to have a slew of restaurant hacks involving card numbers, and they’d have to notify law enforcement/govt, but not consumers? We shouldn’t be the only ones in the dark.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.