BJ's Wholesale Club Settles with FTC Over Customer Data
NATICK, Mass. -- BJ's Wholesale Club, Inc. here said yesterday it's implementing a comprehensive information security program in response to a Federal Trade Commission complaint that the chain failed to take appropriate security measures to protect the sensitive data of thousands of its customers. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases.
The settlement will also require BJ's to obtain audits by an independent third-party security professional every other year for 20 years, according to the FTC.
"BJ's takes the privacy and security of its members' information very seriously," the company said. "We have implemented and are committed to maintaining an information security program that is designed to protect the security, confidentiality, and integrity of our members' information."
BJ's said that early in 2004, it was notified by credit card issuers that credit and debit card accounts used legitimately at BJ's were subsequently used in fraudulent transactions at non-BJ's locations. BJ's claims it took immediate steps to address the situation, including retaining a leading computer security firm to conduct a forensic analysis of its information technology systems and implementing additional security measures designed to eliminate possible avenues by which credit card information could be compromised.
"While no conclusive evidence of a breach was found, on March 12, 2004, after receipt of the computer security firm's preliminary report of findings, BJ's voluntarily issued a public statement alerting consumers to the potential issue," the company noted.
BJ's emphasized that the consent order is not an admission either of any wrongdoing or that the facts in the FTC draft complaint are true. "We cooperated fully with the FTC's investigation and are pleased that it has been completed," the company said.
The FTC charged that BJ's engaged in a number of practices, which, taken together, didn't provide reasonable security for sensitive customer information. Specifically the agency alleges that BJ's:
--Failed to encrypt consumer information when it was transmitted or stored on computers in BJ's stores;
--Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;
--Stored the information in files that could be accessed using commonly known default user IDs and passwords;
--Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
--Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.
The FTC's complaint charges that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ's stores, and that the counterfeit cards contained the same personal information BJ's had collected from the magnetic stripes of the cards.
After the fraud was discovered, the FTC said, banks cancelled and reissued thousands of credit and debit cards. Consequently banks and credit unions have filed lawsuits against BJ's and pursued bank procedures seeking the return of millions of dollars in fraudulent purchases and operating expenses, according to the FTC, which cited that BJ's SEC filings, as of May 2005, had outstanding claims of approximately $13 million.
The commission vote to accept the proposed consent agreement was 5-0.
The FTC will now publish an announcement regarding the agreement in the Federal Register. The agreement will be subject to public comment for 30 days through July 16, after which the Commission will decide whether to make it final.
BJ's Wholesale Club, Inc., a leading operator of warehouse clubs in the eastern United States, operates 157 clubs and 83 gas stations in 16 states.
The settlement will also require BJ's to obtain audits by an independent third-party security professional every other year for 20 years, according to the FTC.
"BJ's takes the privacy and security of its members' information very seriously," the company said. "We have implemented and are committed to maintaining an information security program that is designed to protect the security, confidentiality, and integrity of our members' information."
BJ's said that early in 2004, it was notified by credit card issuers that credit and debit card accounts used legitimately at BJ's were subsequently used in fraudulent transactions at non-BJ's locations. BJ's claims it took immediate steps to address the situation, including retaining a leading computer security firm to conduct a forensic analysis of its information technology systems and implementing additional security measures designed to eliminate possible avenues by which credit card information could be compromised.
"While no conclusive evidence of a breach was found, on March 12, 2004, after receipt of the computer security firm's preliminary report of findings, BJ's voluntarily issued a public statement alerting consumers to the potential issue," the company noted.
BJ's emphasized that the consent order is not an admission either of any wrongdoing or that the facts in the FTC draft complaint are true. "We cooperated fully with the FTC's investigation and are pleased that it has been completed," the company said.
The FTC charged that BJ's engaged in a number of practices, which, taken together, didn't provide reasonable security for sensitive customer information. Specifically the agency alleges that BJ's:
--Failed to encrypt consumer information when it was transmitted or stored on computers in BJ's stores;
--Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;
--Stored the information in files that could be accessed using commonly known default user IDs and passwords;
--Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
--Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.
The FTC's complaint charges that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ's stores, and that the counterfeit cards contained the same personal information BJ's had collected from the magnetic stripes of the cards.
After the fraud was discovered, the FTC said, banks cancelled and reissued thousands of credit and debit cards. Consequently banks and credit unions have filed lawsuits against BJ's and pursued bank procedures seeking the return of millions of dollars in fraudulent purchases and operating expenses, according to the FTC, which cited that BJ's SEC filings, as of May 2005, had outstanding claims of approximately $13 million.
The commission vote to accept the proposed consent agreement was 5-0.
The FTC will now publish an announcement regarding the agreement in the Federal Register. The agreement will be subject to public comment for 30 days through July 16, after which the Commission will decide whether to make it final.
BJ's Wholesale Club, Inc., a leading operator of warehouse clubs in the eastern United States, operates 157 clubs and 83 gas stations in 16 states.