Dave & Buster's

Under Review: 
No Review
Date Breach Made Public: 
May 12, 2008
Islandia , NY
United States
New York US
Records Breached: 


Breach Total Number: 
80 000
Dataloss DB
Year of Breach: 
Type of organization: 
Type of breach: 

Three men have been charged with hacking into 11 Dave & Buster's networks and then remotely installing "packet sniffer" software on point-of-sale servers at locations throughout the U.S. A packet sniffer logs information being sent over a network. In this case, the criminals used it to log credit and payment card data as it was sent from the branch locations to corporate headquarters. The hacking took place from April to September 2007. At Dave & Buster's Islandia, New York, location, the hackers accessed details of about 5,000 payment cards. The information was sold to other criminals who then used the card numbers to scam online merchants. The criminals were able to post at least $600,000 in fraudulent transactions from 675 cards taken from this one store.

UPDATE (04/05/2010): In reaching a settlement with Dave & Buster’s, the FTC quietly and without fanfare introduced a new security standard, requiring the company to monitor and filter outbound Internet traffic to block the unauthorized export of sensitive information. The consent decree puts companies on notice that they may face FTC scrutiny and penalties if they fail to use data loss prevention software.

UPDATE (07/19/2012): A member of the hacking ring was sentenced to seven years in prison.  Around 80,000 payment card numbers were taken from the 11 Dave & Buster's locations.  It appears that the hacker was part of a larger conspiracy that last between 2005 and 2008 and affected Hannaford Bros. grocery chain, Heartland Payment Systems, TJX retail chain, BJ's Wholesale Club, OfficeMax, Boston Market, 7-Eleven, JCPenney, Barnes & Noble, Sports Authority, and Forever 21. Two other members of the hacking ring were sentenced to 20 years in prison and 30 years in prison.