By Bob Sullivan Technology correspondent
updated 3/12/2004 7:33:58 PM ET 2004-03-13T00:33:58

BJ's Wholesale Club Inc. revealed Friday that it is investigating a possible computer system break-in that may have exposed its customers' credit card account information. 

The Massachusetts-based wholesaler, which has 8 million members, mostly in the Northeast, said it was working with credit card associations and law enforcement officials to investigate the situation.

"BJs was recently made aware of a small fraction of its 8 million members being affected by consumer credit card information theft and took immediate steps to address the situation," said Bob Hamilton, vice president of loss prevention at BJ's, in a statement faxed to "Credit card information theft is the fastest growing crime in America and is a major concern for all retailers, including BJ's. We take this issue very seriously."

BJ's -- which last year had $6.7 billion in sales -- said additional customer service representatives would be made available to help consumers who think their account information may have been stolen.

Banks around the country began warning consumers to watch for fraud earier this week, when they were told that a large database of credit cards had been stolen "from a major U.S. retail firm." They were not told who the retailer was.

BJ's faxed its statement to in response to questions about the firm's possible involvement in the credit card leak.

Already, the stolen account numbers have been used to commit fraud around the globe, according to one impacted bank, which said that "thousands" of its consumer were compromised.

BJ's didn't indicate how the credit card account numbers were stolen, but said an exhaustive review by an outside firm "ruled out the liklihood of a centralized security compromise."  Several additional safety measures were implemented at the firm's "club-level" systems, and Hamilton said he was "confident in the current safety and integrity of our systems." 

BJs credit card processing is performed by Fifth Third Bank, based in Ohio. A spokeswoman for the company said she had no knowledge of the computer break-in, and had no reason to believe her bank was involved.

Both Visa and MasterCard warned consumers to check their credit card bills carefully for signs of misuse after the incident, which was revealed earlier this week. 

"MasterCard International has been notified of a suspected breach of a U.S.-based merchant's computer network," MasterCard said in a statement.  "Investigations by MasterCard and law enforcement have begun. MasterCard has begun notifying potentially impacted MasterCard issuers so that they can be alert to suspicious account activity. Investigations are ongoing, and MasterCard continues to monitor this event."

Visa issued a similar statement. A spokesman for American Express said he was "unaware" of any American Express customers who have been impacted. Calls to Discover were not immediately returned.

When such security breaches occur, the card associations generally let the impacted banks decide whether they want to inform consumers and reissue credit cards, or merely watch the accounts for suspicious transactions.

M&T Bank, located in Western New York, decided to inform its customers, sending letters "thousand of cardholders," this week, said Michael Zabel, vice president of corporate communications for the company.

The letter indicated that the breach involved "a major U.S. retailer," and said some of the accounts had already been used for fraud.

"Some fraudulent transaction activity believed to be associated with this incident has been reported in the United States, Europe, and the Asia-Pacific regions," the letter said. It goes on to say that the firm doesn't believe any other personal information, such as addresses, has been stolen in connection with the incident.

Other Northeastern-based banks have indicated their consumers' accounts were in the stolen database.  According to the Finger Lakes Times, the local Finger Lakes Federal Credit Union froze 1,000 of its Visa card accounts that were in the stolen database. First Niagara bank, in New York, said 7,800 customer accounts were affected, but the firm hasn't frozen those accounts, choosing instead to monitor them for fraud, the paper said.

Visa and Mastercard, along with the card-issuing banks, have urged consumers to carefully check their credit card bills for signs of fraud. Consumer liability for credit card fraud is limited to $50, and in most cases, consumer end up paying nothing for the fraud.

© 2013 Reprints


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments