The theft earlier this year of thousands of credit card records from the nation's third-largest warehouse club illustrates the potential for massive-scale identity theft whenever so much purchase-enabling information is stored in one place. It also illustrates how difficult the cleanup can be.
The Secret Service still doesn't know whether the breach was an inside job or the work of hackers, but it has made some arrests, said Tim Buckley, a Secret Service agent investigating the case.
The suspects arrested recently in the United States and abroad may have ties to a large international identity theft ring, Buckley said. He declined to say how many arrests have been made or provide further details.
Meanwhile, financial institutions are still smarting. They've had to reissue hundreds of thousands of credit cards belonging to BJ's customers as a precaution against further fraud.
The BJ's case may be the largest retail fraud of its kind based on the amount of cards reissued, experts say.
Hundreds of thousands of replacements were sent to customers across the 16 states where BJ's operates, though BJ's says the breach affected only "a small fraction" of its 8 million members.
Philadelphia-based Sovereign Bank covered about 700 fraudulent transactions from the BJ's theft and had to reissue 81,000 cards twice, at a cost of about $1 million, once in May and again in June, after a glitch occurred with the first batch, said spokeswoman Ellen Molle said.
"There are some pretty heavy losses out there," said Greg Smith, president of the Pennsylvania State Employees Credit Union, which reissued cards to 14,000 of its members at a cost of $100,000.
Visa and MasterCard issuers in the United States, most of them banks, lost an estimated $820 million from fraud in 2003, up 6 percent from the previous year, according to a study by Credit Card Management, an industry magazine.
When BJ's disclosed the breach in a March 12 news release, it said it had altered its security systems and was confident customers' information was secure. BJ's, which has 150 clubs and 78 gas stations, has said the theft would have no material effect on its finances. Consumer advocacy organizations say they've received few consumer complaints.
But the Natick, Mass.-based company now faces claims from some of the 10 to 15 banks that had to replace cards or reimburse consumers for fraudulent transactions. Investigators and bank officials have declined to disclose the monetary losses.
As sensitive data about consumers - not just credit card numbers but also buying habits and other personal information - are recorded in databases, the potential for identity theft on a massive scale is increasing.
Last week, three men pleaded guilty in North Carolina to charges they conspired to hack into the Lowe's home improvement chain's data network to steal credit card information. Lowe's officials said the men failed to get into the company's national database.
In another case involving a mother lode of data, a Florida man was charged last month with stealing large amounts of consumer information from database aggregator Acxiom Corp. - the second such hack of Acxiom files revealed in the past year. Prosecutors say the stolen data was not used for identity fraud but to distribute ads via an e-mail business the man runs.
Such thefts raise costs for credit card issuers, which typically cover most losses from fraudulent transactions and limit liability to merchants. The problem is a moving target because thieves are creating increasingly sophisticated criminal networks with global reach.
"However they find the numbers, they end up on some computer bulletin board and are sold," said Buckley.
Lawmakers are responding. A federal law signed July 15 increases criminal penalties and eases the burden of proof prosecutors must meet to win convictions in identity theft cases.
The law also establishes a new crime of aggravated identity theft and sets stiffer punishment guidelines for cases originating from information stolen in a workplace.
A Michigan State University study to be published later this year found as many as 70 percent of all identity theft cases originate with information stolen in a workplace, rather than through hacker intrusions, home robberies or mail fraud.
The study's author, Judith Collins, an MSU criminal justice professor, said the tougher sentencing the new federal law requires is a move in the right direction.
"But it does nothing to pre-empt identity theft," she said.
A California law that took effect last year holds merchants more accountable for safeguarding customers' card data, but analysts say few such protections exist elsewhere. Under the California law, banks and other companies must notify customers when a breach of their personal information is suspected.
The law requires businesses to limit how and when they display consumers' Social Security numbers, including a ban on printing a customer's number on cards needed to access services. Some health insurers use Social Security numbers as members' ID numbers and stamp it on membership cards, creating a risk if a card is stolen.
The credit industry "has been relatively slow in taking more security steps than they already have in place because they sort of felt they could tolerate the loss," said Robert Richardson of the Computer Security Institute, an organization for security professionals. New steps could include employing identification technologies such as fingerprint scans.
More merchants will disclose security breaches like the one at BJ's if other states follow California's lead, Richardson said.
Carol Baroudi, a retail and computer security analyst with the research firm Baroudi Bloor, believes most such cases escape public scrutiny.
"I don't think this case was that much of an anomaly," Baroudi said. "I think the fact that we've actually heard about it is different ... BJ's had the guts to come forward. They took the risk that people would stigmatize them for this."
By Mark Jewell