Big trust in databases leads to big ID thefts

Second Mortgage No Equity Required!

Low Interest Second Mortgage click here

Consolidate Your Debt into 1 Low Monthly payment

Cash Out for Home Improvement? click here

Good Credit?
Fair Credit?
Poor credit?
Apply Now

Big trust in databases leads to big ID thefts

By MARK JEWELL
The Associated Press

BOSTON — BJ's Wholesale Club attracts shoppers to its stores by putting
thousands of discounted products under one roof. It wasn't hard to attract cyberthieves either, with databases that amass credit-card numbers in huge numbers.

The theft earlier this year of thousands of credit-card records from the nation's third-largest warehouse club illustrates the potential for massive-scale identity theft whenever so much purchase-enabling information is stored in one place. It also illustrates how difficult the cleanup can be.

The Secret Service still doesn't know whether the breach was an inside job or the work of hackers, but it has made some arrests, said Tim Buckley, a Secret Service agent investigating the case.

The suspects arrested recently in the United States and abroad may have ties to a large international identity-theft ring, Buckley said. He declined to say how many arrests have been made or provide further details.

Meanwhile, financial institutions still are smarting. They've had to reissue hundreds of thousands of credit cards belonging to BJ's customers as a precaution against further fraud.

The BJ's case may be the largest retail fraud of its kind based on the amount of cards reissued, experts say.

Hundreds of thousands of replacements were sent to customers across the 16 states where BJ's operates, though BJ's says the breach affected only "a small fraction" of its 8 million members.

Philadelphia-based Sovereign Bank covered about 700 fraudulent transactions from the BJ's theft and had to reissue 81,000 cards twice, at a cost of about $1 million, once in May and again in June, after a glitch occurred with the first batch, spokeswoman Ellen Molle said.

"There are some pretty heavy losses out there," said Greg Smith, president of the Pennsylvania State Employees Credit Union, which reissued cards to 14,000 of its members.

Visa and MasterCard issuers in the United States, most of them banks, lost an estimated $820 million from fraud in 2003, up 6 percent from the previous year, according to a study by Credit Card Management, an industry magazine.

When BJ's disclosed the breach in a March 12 news release, it said it had altered its security systems and was confident customers' information was secure. BJ's, which has 150 clubs and 78 gas stations, has said the theft would have no material effect on its finances. Consumer-advocacy organizations say they've received few consumer complaints.

But the Natick, Mass.-based company now faces claims from some of the 10 to 15 banks that had to replace cards or reimburse consumers for fraudulent transactions. Investigators and bank officials have declined to disclose the monetary losses.

As sensitive data about consumers — not just credit-card numbers but also buying habits and other personal information — is recorded in databases, the potential for identity theft on a massive scale is increasing.

Last week, three men pleaded guilty in North Carolina to charges they conspired to hack into the Lowe's home-improvement chain's data network to steal credit-card information. Lowe's officials said the men failed to get into the company's national database.

In another case involving a mother lode of data, a Florida man was charged last month with stealing large amounts of consumer information from database aggregator Acxiom — the second such hack of Acxiom files revealed in the past year. Prosecutors say the stolen data was used to distribute ads via an e-mail business the man runs.

Such thefts raise costs for credit-card issuers, which typically cover most losses from fraudulent transactions and limit liability to merchants. The problem is a moving target because thieves are creating increasingly sophisticated criminal networks with global reach.

"However they find the numbers, they end up on some computer bulletin board and are sold," Buckley said.

Lawmakers are responding. A federal law signed July 15 increases criminal penalties and eases the burden of proof prosecutors must meet to win convictions in identity-theft cases.

The law also establishes a new crime of aggravated identity theft and sets stiffer punishment guidelines for cases originating from information stolen in a workplace.

A Michigan State University study to be published later this year found as many as 70 percent of all identity-theft cases originate with information stolen in a workplace, rather than through hacker intrusions, home robberies or mail fraud.

The study's author, Judith Collins, an MSU criminal-justice professor, said the tougher sentencing the new federal law requires is a move in the right direction.

"But it does nothing to pre-empt identity theft," she said.

The credit industry "has been relatively slow in taking more security steps than they already have in place because they sort of felt they could tolerate the loss," said Robert Richardson of the Computer Security Institute. New steps could include employing identification technologies such as fingerprint scans.

Second Mortgage News