BJs Credit Card Theft: Part of a Growing Trend

The theft of tens of thousands of credit card numbers from a database belonging to BJs Wholesale Club was, in some ways, an anomaly.

Not only did BJs Wholesale Club Inc. management take the rare step of disclosing the theft publicly, but most of the card issuers moved quickly to notify customers of the incident.

In some cases, financial institutions had canceled the stolen cards and issued new ones before victims even knew about the problem.

But, in most other respects, the incident is a classic illustration of how cyber-crime is becoming part of daily life.

/zimages/7/28571.gifClick here to read more about the far-reaching effects of cyber-crime.

BJs first disclosed the security breach, in which more than 40,000 card numbers are thought to have been compromised, on March 12.

But while investigators believe it was accomplished over the Internet rather than inside the corporate offices, its still not known exactly how the attackers infiltrated the network. Investigators said they believe the attackers may have had access to the data since July 2003.

/zimages/7/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

As BJs officials in Natick, Mass., conducted an internal security audit and raced to notify affected financial institutions, agents from the Secret Services New England Electronic Crimes Task Force began poring over the evidence. A priority: looking for hints that the thieves were selling or trading the stolen account information online.

Meanwhile, theft victims were finding small charges, from one penny up to a few dollars, showing up on their accounts as the thieves began testing the stolen numbers to determine which ones were still valid.

For a few accounts that proved valid, those amounts spiked as thieves began using them for shopping sprees. BJs officials at company headquarters worked to calm customer fears and limit the public-relations hit the company was taking.

“We are confident in the current safety and integrity of our systems,” said Bob Hamilton, vice president of loss prevention at BJs. “We are continually working to employ advanced technologies to ward against increasingly sophisticated credit-card-information theft schemes.”

But those reassurances did little to quell BJs customers fears of identity theft and, more probable, being held responsible for unauthorized purchases.

“You always hear about this stuff. I couldnt believe it when I realized my card had been stolen,” said Donna Getgen, a BJs customer in Owings, Md.

/zimages/7/28571.gifAt the recent eWEEK Security Summit, Clarke said enterprises should hold developers accountable for their softwares security. Click here to read more.

Getgen was one of the fortunate ones: Her account never showed unauthorized charges.

The Secret Service investigators have been getting lucky, too. Earlier this month, they were able to track down and arrest six suspects in the theft after a portion of the stolen numbers showed up in an IRC (Internet Relay Chat) channel, a common location for selling and trading credit card numbers.

/zimages/7/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

/zimages/7/77042.gif

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page