Computerworld reports that BJ’s, the US wholesale club, has entered into a consent order with the FTC arising out of a security breach of customer data:
Millions of dollars of unauthorized and fraudulent purchases were made on customer credit and debit cards after the customers had visited BJ’s stores in early 2004, the FTC alleged.
Under the consent order, BJ’s “has agreed to implement a comprehensive data-security system and undergo biannual security audits for the next 20 years.” The article has a bit of detail on the nature of the deficiencies in BJ’s systems:
In its investigation of the case, the FTC alleged that BJ’s failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores and then created unnecessary security risks by storing it for up to 30 days in violation of bank security rules.
BJ’s also failed to use adequate security methods by storing the credit card information in files that could be accessed using commonly known default user IDs and passwords and failed to use readily available security measures to prevent unauthorized wireless connections to its networks.