Print

Mail

wiki links

Wholesale identity theft causing significant losses

BJ's Wholesale Club attracts shoppers to its stores by putting thousands of discounted products under one roof. It wasn't hard to attract cyberthieves either, with databases that amass credit card numbers in huge numbers.

The theft earlier this year of thousands of credit card records from the third-largest US warehouse club illustrates the potential for massive-scale identity theft whenever so much purchase-enabling information is stored in one place. It also illustrates how difficult the cleanup can be.

The Secret Service still doesn't know whether the breach was an inside job or the work of hackers, but it has made some arrests, said Tim Buckley, a Secret Service agent investigating the case.

The suspects arrested recently in the US and abroad may have ties to a large international identity theft ring, Buckley said. He declined to say how many arrests have been made or provide further details.

Meanwhile, financial institutions are still smarting. They've had to reissue hundreds of thousands of credit cards belonging to BJ's customers as a precaution against further fraud.

The BJ's case may be the largest retail fraud of its kind based on the amount of cards reissued, experts say.

Hundreds of thousands of replacements were sent to customers across the 16 states where BJ's operates, though BJ's says the breach affected only "a small fraction" of its 8 million members.

Philadelphia-based Sovereign Bank covered about 700 fraudulent transactions from the BJ's theft and had to reissue 81,000 cards twice, at a cost of about US$1 million, once in May and again in June, after a glitch occurred with the first batch, said spokeswoman Ellen Molle said.

"There are some pretty heavy losses out there," said Greg Smith, president of the Pennsylvania State Employees Credit Union, which reissued cards to 14,000 of its members at a cost of US$100,000.

Visa and Mastercard issuers in the US, most of them banks, lost an estimated US$820 million from fraud last year, up 6 percent from the previous year, according to a study by Credit Card Management, an industry magazine.

When BJ's disclosed the breach in a March 12 news release, it said it had altered its security systems and was confident customers' information was secure. BJ's, which has 150 clubs and 78 gas stations, has said the theft would have no material effect on its finances. Consumer advocacy organizations say they've received few consumer complaints.

But the Natick, Massachusetts-based company now faces claims from some of the 10 to 15 banks that had to replace cards or reimburse consumers for fraudulent transactions. Investigators and bank officials have declined to disclose the monetary losses.

As sensitive data about consumers -- not just credit card numbers but also buying habits and other personal information -- are recorded in databases, the potential for identity theft on a massive scale is increasing.

In July, three men pleaded guilty in North Carolina to charges they conspired to hack into the Lowe's home improvement chain's data network to steal credit card information. Lowe's officials said the men failed to get into the company's national database.

Such thefts raise costs for credit card issuers, which typically cover most losses from fraudulent transactions and limit liability to merchants. The problem is a moving target because thieves are creating increasingly sophisticated criminal networks with global reach.

"However they find the numbers, they end up on some computer bulletin board and are sold," Buckley said.
This story has been viewed 2170 times.