BJs Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law.
According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJs to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.
Natick, Massachusetts-based BJs operates 150 warehouse stores and 78 gas stations in 16 states in the Eastern United States. Approximately 8 million consumers are currently members, with net sales totaling about $6.6 billion in 2003.
"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security, said Deborah Platt Majoras, Chairman of the FTC. This case demonstrates our intention to challenge companies that fail to protect adequately consumers sensitive information.
According to the FTCs complaint, BJs uses a computer network to obtain bank authorization for credit and debit card purchases and to track inventory. For credit and debit card purchases at its stores, BJs collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards.
The information is sent from the computer network in the store to BJs central datacenter computer network and from there through outside computer networks to the bank that issued the card.
The FTC charged that BJs engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJs:
Failed to encrypt consumer information when it was transmitted or stored on computers in BJs stores;
Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;
Stored the information in files that could be accessed using commonly known default user IDs and passwords;
Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.
The FTCs complaint charges that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJs stores, and that the counterfeit cards contained the same personal information BJs had collected from the magnetic stripes of the cards.
After the fraud was discovered, banks cancelled and re-issued thousands of credit and debit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards. Since then, banks and credit unions have filed lawsuits against BJs and pursued bank procedures seeking the return of millions of dollars in fraudulent purchases and operating expenses.
According to BJ's SEC filings, as of May 2005, the amount of outstanding claims was approximately $13 million.
The FTC alleges that BJs failure to secure customers sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires BJs to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards.
The settlement also requires BJs to obtain an audit from a qualified, independent, third-party professional that its security program meets the standards of the order, and to comply with standard book keeping and record keeping provisions.