Massachusetts Retailer Agrees to Audits, Security Measures in ID Theft Case

BOSTON -- BJ's Wholesale Club Inc. has agreed to submit to outside security audits for 20 years and tighten protection of customer information to settle a government complaint over a massive theft of credit and debit card data.

The tentative settlement announced Thursday by the Federal Trade Commission does not require the nation's third-biggest warehouse club to pay a fine. BJ's said in government filings that it faced about $13 million in private claims as of last month over last year's theft, which prompted banks to reissue hundreds of thousands of credit and debit cards to prevent further fraud.

The case is one of six recent enforcement actions by the FTC alleging violations of a law covering protection of consumer information. Other cases involved false claims about security procedures. BJ's case is the first in FTC history alleging consumers were harmed as a result of lax security, said Joel Winston, an FTC associate director.

Carol Baroudi, a retail analyst with the Waltham-based research firm Hurwitz & Associates, said she expects more regulatory complaints and tighter federal laws as increasingly sophisticated identity thieves take advantage of shortcomings in retailers' security.

"I believe there are many companies out there that are just flagrantly ignoring this issue, and I hope this case serves as a wake-up call," Baroudi said.

The FTC said the BJ's settlement requires the Natick-based company "to establish and maintain a comprehensive security program" - which BJ's contends it already has in place - and undergo audits by a third-party security professional every other year for 20 years.

BJ's did not admit to wrongdoing or the government's allegations. The settlement is subject to a 30-day public comment period.

BJ's issued a statement saying the company "takes the privacy and security of its members' information very seriously."

The FTC alleges BJ's failed to adequately protect customer information by failing to encrypt data when it was transmitted or stored on computers in BJ's stores.

BJ's also stored customer information longer than necessary - up to 30 days, in violation of bank security rules - and stored data in files that could be accessed using commonly known default user identity codes and passwords, the FTC said.

The FTC said BJ's failed to prevent unauthorized wireless connections to its networks and didn't take adequate steps to prevent unauthorized access to its networks.

BJ's operates 157 stores and 83 gas stations in 16 states from Maine to Florida, ranking behind Costco and WalMart's Sam's Club among the nation's biggest membership warehouse clubs.

BJ's has previously said the security breach affected only "a small fraction" of its 8 million members.

The company disclosed the breach on March 12, 2004. BJ's said then that it had altered its security systems and was confident customers' information was secure. BJ's also has said the theft would have no material effect on its finances.

The company eventually faced claims from some of more than a dozen banks that covered costs to replace hundreds of thousands of cards, reimburse consumers for fraudulent transactions or both. Credit card issuers generally reimburse consumers for losses from fraudulent transactions.

The Secret Service investigated the breach and said last year it did not know whether the theft was an inside job or the work of hackers. A Secret Service spokesman was not immediately able to answer questions on the case's status Thursday.

Shares of BJ's Wholesale rose 11 cents to close at $31.70 in trading on the New York Stock Exchange, where the stock has traded in a 52-week range of $21.06 to $34.70.