Question

BJ’s Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.

Natick, Massachusetts-based BJ’s operates 150 warehouse stores and 78 gas stations in 16 states in the Eastern United States. Approximately 8 million consumers are currently members, with net sales totaling about $6.6 billion in 2003.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security,” said Deborah Platt Majoras, Chairman of the FTC. “This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information.”

According to the FTC’s complaint, BJ’s uses a computer network to obtain bank authorization for credit and debit card purchases and to track inventory. For credit and debit card purchases at its stores, BJ’s collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. The information is sent from the computer network in the store to BJ’s central datacenter computer network and from there through outside computer networks to the bank that issued the card.

The FTC charged that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJ’s:

• Failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores;
• Created unnecessary risks to the information by storing it for up to 30 days, in
  violation of bank security rules, even when it no longer needed the information;
• Stored the information in files that could be accessed using commonly known default user IDs and passwords;
• Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
• Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

The FTC’s complaint charges that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ’s stores, and that the counterfeit cards contained the same personal information BJ’s had collected from the magnetic stripes of the cards. After the fraud was discovered, banks cancelled and re-issued thousands of credit and debit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards. Since then, banks and credit unions have filed lawsuits against BJ’s and pursued bank procedures seeking the return millions of dollars in fraudulent purchases and operating expenses. According to BJ's SEC filings, as of May 2005, the amount of outstanding claims was approximately $13 million.

The FTC alleges that BJ’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires BJ’s to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires BJ’s to obtain an audit from a qualified, independent, third-party professional that its security program meets the standards of the order, and to comply with standard book keeping and record keeping provisions.

The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through July 16, 2005, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

i. Describe the security breach at BJ’s Wholesale Club.

ii. What was the reason for this agreement?

Answer 1

Ques I ) The security breach at BJ’s Wholesale club was that the consumer information leaked and used by an unauthorized person or persons to make millions of dollars of fraudulent purchases.

BJ’s policies left consumer information exposed. Some of these were :

1. Storing consumer information for upto 30 days(which wasn’t required) also a violation of bank’s rules of security.

2. The stored files could be accessed by commonly used and known IDs and passwords.

3. The measures detecting unauthorised access to networks were not upto the mark

4. They did not conduct any investigations into its security systems or breeches.


The hackers then used these stolen credit and debit card information to make purchases by creating counterfeit cards.

Ques ii) The reason for agreement was that it was proved that BJ’s carelessness was the reason for leakage of such sensitive information. Not only did BJs information storing violate the bank security rules, but also, their lack of regulations regarding security and access lead to this situation.

Moreover, it could not have been reasonable avoided by the consumers. All these facts lead to the agreement.