Credit card data breach probed at BJ's stores
A 'small fraction' of customer data may have been compromised
Computerworld - A "possible compromise" in the computer systems used by BJ's Wholesale Club stores remains under investigation after the company learned that credit card information for some of its customers may have been stolen.
The Natick, Mass.-based wholesale consumer buying club said in an announcement last week that a "small fraction" of its 8 million members may have been affected by the data thefts from its stores. The incidents are being investigated by credit card companies and law enforcement agencies.
Spokeswoman Amy Russ said she couldn't comment further on the security breach.
BJ's learned of the problems when the company was notified by credit card companies of possible fraudulent transactions affecting customer accounts. It's now conducting a review with a security firm.
In its statement, BJ's said it "ruled out the likelihood of a centralized security compromise" and implemented several measures to eliminate possible avenues by which credit card information could be accessed.
"We are confident in the current safety and integrity of our systems," Bob Hamilton, vice president of loss prevention at BJ's, said in a statement. "This type of crime is the fastest growing crime in America and is a major concern for all retailers, including BJ's. We take this issue very seriously and we are continually working to employ advanced technologies to ward against increasingly sophisticated credit card information theft schemes. We remain fully committed to protecting the privacy of our members and the security of their information and are working with credit card companies and law enforcement to identify and prosecute these criminals."
Hamilton said that "while it is not industry practice for retailers to bring information like this to its consumers, we feel our members should be aware of this issue."
BJ's said that any customers who believe that their credit card information was stolen should immediately report it to their credit card companies.
Pete Lindstrom, a security analyst at Spire Security in Malvern, Pa., said incidents like this are often difficult for companies to find because the credit card information isn't actually missing, but has been copied, making it hard to know that a breach has occurred. "Very rarely do folks learn their lesson until after the fact," he said. "Just once I want somebody to announce a [security] clampdown before a breach occurs."
Carol Baroudi, a retail analyst at Baroudi Bloor in Arlington, Mass., said the incident should remind credit card holders that they should always carefully check their credit card statements for unauthorized charges.
"The problem is that fraud is only going to escalate," Baroudi said. "The thing is it should have neverhappened, but it's going to happen because there are new vulnerabilities discovered and exploited every day. Every vendor has to go all the way to look at every protection, but consumers have to look at every credit card bill."
BJ's, which opened its first store in 1984, operates 150 clubs and 78 gas stations.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Cybercrime and Hacking White Papers | Webcasts