State, feds investigating data breach at The Works

Saturday February 2, 2013

BRATTLEBORO -- The Works Bakery Cafe, in a statement released on Friday afternoon, confirmed it was cooperating with state and federal authorities in the investigation of allegations and reports concerning theft of customer credit card and debit card account information.

"While I have been asked by federal and state law enforcement not to comment about any specifics of the ongoing investigation, I do want to make it clear to our loyal customers that we take this situation very seriously and took steps in response immediately," said Richard French, president of The Works Bakery Cafe.

A spokesman for the regional Secret Service office in Burlington said it doesn't comment on "any open investigations."

"We can't comment on existing or non-existing investigations," said Assistant Attorney General Ryan Kriger, who is in the AG's Public Protection Division, adding, "We are focused on protecting the public, while the Secret Service is more concerned with getting the bad guys."

"While it appears that The Works Bakery Cafe and some of our customers may have been victimized by criminal activity, we have done everything possible to limit the damage and end the threat immediately," stated French.

On its website,, Brattleboro Savings & Loan is warning its customers of a possible data breach at The Works and is advising its clients to check their accounts for any unauthorized activity.

"We have been seeing a significant increase in fraudulent debit card transactions over the past week," states the notification. "It appears that criminals have stolen private debit card information, created fraudulent cards, and are using these across the U.S. to make unauthorized purchases."

BS&L is informing its customers who used a debit card at The Works at any of its locations in Vermont, New Hampshire or Maine during the past month, "there is a risk that your account may have been compromised."

The Works has locations in Manchester and Brattleboro; Keene, Portsmouth, Concord, and Durham, N.H.; and Portland, Maine.

Those who suspect their accounts might have been compromised should carefully review their accounts for any unauthorized charges and keep a daily check on their transactions. If any discrepancies are noted, they should notify their financial institution right away and ask that their cards be blocked and a new one be issued.

"Even if your account has not been fraudulently charged, we may be issuing you a new, secure debit card shortly as a preventive measure," states the BS&L notice.

Vermont has a set of statutes regulating commerce and trade and a subsection deals with protection of personal information and what a merchant must do if it determines it has been a victim of a data breach.

"When a business in Vermont, or any company doing business in Vermont, suffers a data breach, they should take steps to figure out what happened and to fix the breach," said Kriger.

Under the statute, said Kriger, notification to the Attorney General's Office or the Vermont Department of Financial Regulations must be made within 14 days of the discovery.

Customers must be notified "in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery ..." states the statute.

"Once a breach has happened, damage could happen quickly," said Kriger. "Businesses should notify customers soon, but we understand the wheels of business sometimes move slowly."

Businesses often are not the first to know they've been hacked, he said. Sometimes they find out from their financial institutions or their customers that their systems have been compromised.

The Attorney General's Office has proposed amendments to the consumer protection statute that would impose minimum standards for data protection and system monitoring, he said.

Currently, the state relies on standards issued by the Payment Care Industry Security Standards Council, which describes itself as "an open global forum" that is responsible for the development, management, education and awareness of payment card security.

"When you agree to take credit cards, you agree to be PCI compliant," said Kriger.

In most cases, merchants are not liable for the financial loss of its customers. Kriger said merchants are just as much victims of these types of crimes as those who have had their credit and debit card information stolen.

"As a general matter, the banks eat most of these costs. In some circumstances, banks can try to get money back from a merchant, but if you have a very small merchant and hundreds of thousands of dollars in damages, how are you going to get it?"

And in an era when governments and organizations such as the New York Times and the Wall Street Journal are being hacked into, it's hard for a small-business owner to keep ahead of the technology utilized by criminals, he said.

Still, said Kriger, there are some steps business owners can take to hopefully prevent data breaches.

"Make sure your software is up to date and that you download the patches," he said. In addition, change default passwords on routers and WiFi systems and take steps to encrypt certain data.

Many small businesses are not equipped to handle data security and there are a number of private companies that specialize in protecting confidential information, said Kriger.

In most cases, when a card is swiped through a reader, the information goes to a financial institution, a confirmation is sent back to the merchant and no data is stored by a business. But if malware has been inserted in a company's data system, it could be quietly gathering information before firing it off to the hackers.

There is also hardware called skimmers that are installed over card readers at gas station pumps and ATMs that steal data. In some cases, employees actually steal the information using handheld devices.

Authorities are urging anyone who has used a debit or credit card at any of The Works Bakery Cafe locations to contact their financial institutions immediately to report the possible compromise of their card information by the fraudulent use of malware by third-party criminals.

For information on consumer protection, visit

Bob Audette can be reached at, or at 802-254-2311, ext. 160. Follow Bob on Twitter @audette.reformer.


If you'd like to leave a comment (or a tip or a question) about this story with the editors, please email us. We also welcome letters to the editor for publication; you can do that by filling out our letters form and submitting it to the newsroom.

Powered by Creative Circle Media Solutions