BJ's Settles Federal Case In SecurityBreach

NATICK, Mass. - (06/17/05) -- BJ's Wholesale Club said Thursday ithas agreed to implement a comprehensive information securityprogram and to engage a third-party auditor of its data securityevery year for the next 20 years as part of a settlement with theFederal Trade Commission over last year's multi-million-dollarsecurity breach. Under the settlement, BJ's will not pay any fine.The security breach, in which an unauthorized person or personsused the identities of BJ's customers from the company's databaseto make millions of dollars in fraudulent purchases using creditunion and bank customer accounts. More than 160 credit union werevictimized by the breach, either by having to replace member creditand debit cards or by having merchandise charged to memberaccounts. CUNA Mutual Group, which paid for the credit unionlosses, is suing BJ's in state court in Massachusetts to recoverthe costs. The FTC charged that BJ's failed to encrypt customerinformation when it was transmitted or stored on company computers;created unnecessary risks by storing information for up to 30 days,in violation of bank secrecy rules; stored the data in files thatcould be accessed using commonly known dealt users IDs andpasswords; and failed to secure the data form unauthorized wirelessconnections.