Credit card data breach probed at BJ's stores

Computerworld - A "possible compromise" in the computer systems used by BJ's Wholesale Club stores remains under investigation after the company learned that credit card information for some of its customers may have been stolen.
The Natick, Mass.-based wholesale consumer buying club said in an announcement last week that a "small fraction" of its 8 million members may have been affected by the data thefts from its stores. The incidents are being investigated by credit card companies and law enforcement agencies.
Spokeswoman Amy Russ said she couldn't comment further on the security breach.
BJ's learned of the problems when the company was notified by credit card companies of possible fraudulent transactions affecting customer accounts. It's now conducting a review with a security firm.
In its statement, BJ's said it "ruled out the likelihood of a centralized security compromise" and implemented several measures to eliminate possible avenues by which credit card information could be accessed.
"We are confident in the current safety and integrity of our systems," Bob Hamilton, vice president of loss prevention at BJ's, said in a statement. "This type of crime is the fastest growing crime in America and is a major concern for all retailers, including BJ's. We take this issue very seriously and we are continually working to employ advanced technologies to ward against increasingly sophisticated credit card information theft schemes. We remain fully committed to protecting the privacy of our members and the security of their information and are working with credit card companies and law enforcement to identify and prosecute these criminals."
Hamilton said that "while it is not industry practice for retailers to bring information like this to its consumers, we feel our members should be aware of this issue."
BJ's said that any customers who believe that their credit card information was stolen should immediately report it to their credit card companies.
Pete Lindstrom, a security analyst at Spire Security in Malvern, Pa., said incidents like this are often difficult for companies to find because the credit card information isn't actually missing, but has been copied, making it hard to know that a breach has occurred. "Very rarely do folks learn their lesson until after the fact," he said. "Just once I want somebody to announce a [security] clampdown before a breach occurs."
Carol Baroudi, a retail analyst at Baroudi Bloor in Arlington, Mass., said the incident should remind credit card holders that they should always carefully check their credit card statements for unauthorized charges.
"The problem is that fraud is only going toescalate," Baroudi said. "The thing is it should have never happened, but it's going to happen because there are new vulnerabilities discovered and exploited every day. Every vendor has to go all the way to look at every protection, but consumers have to look at every credit card bill."
BJ's, which opened its first store in 1984, operates 150 clubs and 78 gas stations.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.