BRATTLEBORO — Thieves slid through the cyberverse, absconding with debit and credit card numbers from patrons of The Works Bakery Café, a popular breakfast and lunch spot on Main Street.
According to Works president Richard French, the card numbers were stolen sometime during mid-January and Feb. 1.
If patrons think they used their debit cards at the cafe during the 10-day window, the safest thing to do is contact your bank for a new card, said French.
On Jan. 30, chatter on Facebook chronicled people whose debit or credit cards had been used for purchases in California, Pennsylvania, Florida, and the United Kingdom.
Loss to people's bank accounts varied from the bank catching the fraudulent activity within an hour, while another customer's bank account was wiped to zero. One patron's debit card was cloned twice to the tune of $500. She cut up her replacement debit card before having time to remove the activation sticker.
French said in a phone interview on Monday that federal authorities have asked him not to speak about the thefts. The authorities have asked that he not even mention which branch of the federal government is looking into the potential crimes.
The authorities have also asked French not give any more specific timeline than the two-week window.
French said information is in its infancy but the theory is malware got into the computer system and cloned cards.
Malware places a virus on a company's computer hard drives to gather, and steal, data.
According to French, “The use of malware by criminals to target small businesses like The Works Bakery Café is dramatically increasing in the United States, more than doubling in the past year.”
Hit at home
The thieves struck multiple branches of The Works, but French was reluctant to give more information.
“I can feel confident that we moved as quickly as possible,” French said.
Besides Brattleboro, The Works has stores in Manchester, Vt., Portland, Maine, and Keene, Portsmouth, Concord, and Durham, N.H. According to its website, The Works is known for using locally-sourced foods; humanely-raised, hormone and antibiotic-free meats; local eggs from cage-free chickens; and hormone and antibiotic-free dairy products.
French said Works employees have worked nonstop to mediate the impact of the data theft on customers.
“I have a crushed crew this week,” French said.
He cautioned that there could be a “lag time” between when people's card numbers were stollen and when the numbers appear for nefarious use. That's why people who used their cards at a Works branch during the window should order new cards from their banks.
Staff's personal accounts and The Works' corporate card were also compromised in the cyber attack, said French.
The company has pulled the hard drives in stores inside and outside Vermont, he said.
A press release by The Works on Feb. 1 formally announced the company's cooperation with local, state, and federal authorities on the thefts.
“I do want to make it clear to our loyal customers that we take this situation very seriously and took steps in response immediately,” said French in the release. “We want our customers to know that we have taken swift action that they can use their debit or credit cards at all our locations without hesitation.”
The Works does not store customers' debit or credit card information.
Crossing state lines
According to Brattleboro Police Detective Lt. Michael Carrier, The Works contacted his department, but he was reluctant to reveal too much information because the case is an active investigation.
Since the stolen data crossed state lines, the case has triggered involvement by the Vermont Attorney General's office, the banks whose customers had their data stolen, and the U.S. Secret Service, Carrier said.
The local, state, and federal agencies will work together on the case, he added.
The banks are expected to reach out to affected cardholders, said Carrier. Still, he suggested people monitor their accounts and contact their bank if necessary.
Carrier said he was not aware of anyone in the BPD telling individuals at The Works not to inform customers of a potential data breach.
If The Works did not tell customers anything it was their decision, he said.
As information comes available that can be shared with the public, Carrier said law enforcement would forward it.
Authorities are urging anyone who believes their debit or credit cards may have been compromised to check their bank statements for verification of fraudulent activity and to report any suspicious activities to their financial institutions.
Where money won't go
French said that the thefts have cost his company “tens of thousands” of dollars.
The computer hard drives pulled last week are under forensic analysis. French said he'd prefer to use the money spent on forensic analysis on compostable cups or higher wages.
Last November, French said he began a new composting program slated to go franchise-wide this year. The data breach inhaled the equivalent of the composting program's budget within in a week.
“[The data loss] has been a costly endeavor for us,” French said, adding he wants to also remain empathetic to customers and staff whose bank accounts, and home budgets, took a hit.
Such initiatives like composting and locally sourced foods “are true to our heart and true to what our customers want us to be working on,” he said. “I cannot overstate the importance which I place on the relationships I have built with our customers over the more than 20 years I have run this business.”