Agency Says Lax Security Compromised Thousands of Credit and Debit Cards
BJ’s Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.
Natick, Massachusetts-based BJ’s operates 150 warehouse stores and 78 gas stations in 16 states in the Eastern United States. Approximately 8 million consumers are currently members, with net sales totaling about $6.6 billion in 2003.
"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security,” said Deborah Platt Majoras, Chairman of the FTC. “This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information.”
According to the FTC’s complaint, BJ’s uses a computer network to obtain bank authorization for credit and debit card purchases and to track inventory. For credit and debit card purchases at its stores, BJ’s collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. The information is sent from the computer network in the store to BJ’s central datacenter computer network and from there through outside computer networks to the bank that issued the card.
The FTC charged that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJ’s:
- Failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores;
- Created unnecessary risks to the information by storing it for up to 30 days, in
violation of bank security rules, even when it no longer needed the information;
- Stored the information in files that could be accessed using commonly known default user IDs and passwords;
- Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
- Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.
The FTC’s complaint charges that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ’s stores, and that the counterfeit cards contained the same personal information BJ’s had collected from the magnetic stripes of the cards. After the fraud was discovered, banks cancelled and re-issued thousands of credit and debit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards. Since then, banks and credit unions have filed lawsuits against BJ’s and pursued bank procedures seeking the return millions of dollars in fraudulent purchases and operating expenses. According to BJ's SEC filings, as of May 2005, the amount of outstanding claims was approximately $13 million.
The FTC alleges that BJ’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires BJ’s to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires BJ’s to obtain an audit from a qualified, independent, third-party professional that its security program meets the standards of the order, and to comply with standard book keeping and record keeping provisions.
The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through July 16, 2005, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Copies of the complaint and consent agreement are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 0423160)
Claudia Bourne Farrell,
Office of Public Affairs
Division of Financial Practices