BJ's Wholesale Club Settles FTC Data-Protection Complaint - InformationWeek
03:47 PM
Connect Directly

BJ's Wholesale Club Settles FTC Data-Protection Complaint

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

The Federal Trade Commission said today that BJ's Wholesale Club Inc. has agreed to settle charges that it failed to provide adequate security for its customer data.

According to the FTC, BJ's failed to encrypt customer data when transmitted or stored on BJ's computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks.

The FTC charges that the company's lax data security led to a series of fraudulent purchases at non-BJ's stores made with counterfeit credit cards that contained personal information BJ's had previously collected from the magnetic stripes of customers' credit cards. As a result of the fraud, affected financial institutions filed suit against BJ's to recover damages. According to a May securities and Exchange Commission filing, BJ's recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs incurred in this matter.

BJ's, with revenue of $7.4 billion in fiscal 2005, operates 157 warehouse stores and 83 gas stations in 16 Eastern states. Some 8 million consumers are members. Nationally, it's the third-largest membership warehouse club, behind Costco and Sam's Club.

Under terms of the settlement, BJ's will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.

"BJ's takes the privacy and security of its members' information very seriously," the company said in a statement. "We have implemented and are committed to maintaining an information-security program that is designed to protect the security, confidentiality, and integrity of our members' information."

The consent agreement settling the FTC complaint includes the following requirements: a designated employee or employees to coordinate and be accountable for the information-security program; the identification of risks to customer data; the design and implementation of reasonable safeguards for that data; and monitoring to ensure compliance.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security," said FTC chairman Deborah Platt Majoras in a statement. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."

The FTC may have a lot of companies to challenge given the incidence of data loss and data breaches in past months. Companies with less-than-stellar data-handling records recently include Ameritrade, Bank of America, ChoicePoint, Citibank, DSW Shoe Warehouse, Polo Ralph Lauren, LexisNexis, and Time Warner.

Making good on her avowed intention, Platt Majoras in testimony before the Senate Committee on Commerce, Science and Transportation on Thursday recommended that "Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety."

She also urged that Congress consider requiring companies to notify consumers in the event of a data breach. California already has such a requirement.

Data Debacles: Top 10 Customer Data Loss Incidents
Company/Organization Number of
Date of
3.9 million
June 6
DSW Shoe Warehouse
1.4 million
March 8
Bank of America
1.2 million
Feb. 25
Time Warner
May 2
March 9
April 19
Polo Ralph Lauren
April 14
Feb. 15
Boston College
March 17
Bank of America
and Wachovia
May 23
Source: InformationWeek, public disclosures by companies

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll