BJ's settles case with FTC over customer data security

Computerworld - After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed to implement a comprehensive data-security system and undergo biannual security audits for the next 20 years under a settlement with the Federal Trade Commission.

In a statement yesterday, the FTC said the settlement was reached after the agency concluded that the Natick, Mass.-based warehouse buying club failed to take adequate precautions to guard its customer credit card and debit card data from theft and fraudulent use.

Millions of dollars of unauthorized and fraudulent purchases were made on customer credit and debit cards after the customers had visited BJ's stores in early 2004, the FTC alleged (see story).

In a statement yesterday, BJ's said it agreed to the settlement and the additional procedures "to protect the security, confidentiality and integrity of our members' information."

The statement said that BJ's was notified early last year that credit and debit card accounts used legitimately at BJ's were later being used in fraudulent transactions at non-BJ's locations. The company then hired a computer security firm to conduct a forensic analysis of its IT systems and implement additional security measures to protect against credit card fraud.

"While no conclusive evidence of a breach was found, on March 12, 2004, after receipt of the computer security firm's preliminary report of findings, BJ's voluntarily issued a public statement alerting consumers to the potential issue," the company stated. "The [FTC] consent order is not an admission of either any wrongdoing or that the facts in the FTC draft complaint are true. We cooperated fully with the FTC's investigation and are pleased that it has been completed."

A BJ's spokeswoman declined to comment further.

In its investigation of the case, the FTC alleged that BJ's failed to encrypt consumer information when it was transmitted or stored on computers in BJ's stores and then created unnecessary security risks by storing it for up to 30 days in violation of bank security rules.

BJ's also failed to use adequate security methods by storing the credit card information in files that could be accessed using commonly known default user IDs and passwords and failed to use readily available security measures to prevent unauthorized wireless connections to its networks.

FTC Chairwoman Deborah Platt Majoras said in a statement that store customers must have confidence that the places where they shop will adequately protect their confidential personal data. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information," she said.

The FTC's complaint charged that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ's stores and that the counterfeit cards contained the same personal information that BJ's had collected from the magnetic stripes of the cards.

A number of banks and credit unions have filed lawsuits against BJ's and pursued bank procedures seeking the return of about $13 million in fraudulent purchases and operating expenses in connection with the case, according to the FTC.

BJ's operates 150 warehouse stores and 78 gas stations in 16 states in the eastern U.S. The wholesale club has about 8 million members and had net sales totaling about $6.6 billion in 2003.

Chris Christianson, a security analyst with IDC in Framingham, Mass., said incidents like the BJ's case are "just more evidence of the low awareness of security" that remains in many businesses. "If you've got a vulnerability, you pretty much guarantee it will be found sooner or later. [The case] is also an indication that the criminal fraud environment has become much more aggressive."