[ISN] Security breach at Sam's Club exposes credit card data

[InfoSec News]

http://www.computerworld.com/securitytopics/security/story/0,10801,107014,00.html

By Jaikumar Vijayan 
DECEMBER 12, 2005
COMPUTERWORLD

Sam's Club, a division of Wal-Mart Stores Inc., is investigating a
security breach that has exposed credit card data belonging to an
unspecified number of customers who purchased gas at the wholesaler's
stations between Sept 21 and Oct. 2.

In a brief statement released Dec. 2, the Bentonville, Ark.-based
company said it was alerted to the problem by credit card issuers who
reported that customers were complaining of fraudulent charges on
their statements.

It's still not clear how the data was obtained, according to the
statement. But "electronic systems and databases used inside its
stores and for Samsclub.com are not involved," the company said.

Sam's Club is currently working with both Visa International Inc. and
MasterCard International Inc. to investigate the breach. The company
also has notified the U.S. Attorney's Office for the Western District
of Arkansas and the U.S. Secret Service .

Sam's Club officials didn't respond to calls for comment.

In a statement, Visa said it has alerted all of the affected financial
institutions, asked them to provide independent fraud-monitoring
services to affected customers and requested that they issue new cards
as needed.

"Visa will continue working with its member financial institutions,
merchants and appropriate authorities to do whatever is necessary to
protect cardholders," Visa said.

Kayce Bell, chief operating officer at Alabama Credit Union (ACU) in
Foley, Ala., said the company is reissuing cards to about 500 credit
card and debit card holders as a result of the breach. The credit
union was alerted to the problem last week by Credit Union National
Association Inc., she said.

"We received information through our national reporting service that
there had been a very large breach of data at Sam's Club," Bell said.  
About 500 debit cards and credit cards issued by ACU were among the
accounts compromised in this incident, she said.

This isn't the first time this year the credit union has had to block
and reissue credit and debit cards at Visa's request. Earlier this
year, the ACU had to deactivate and reissue about 1,550 cards after
Visa notified it that cards compromised in a CardSystems Inc. breach
in June were being used fraudulently.

The Sam's Club breach is the latest in a string of data compromises
this year at organizations that have included Bank of America Corp.,
ChoicePoint Inc. , the University of California and CardSystems. Those
breaches have fueled consumer concern about data protection and talk
of legislative action to make companies more accountable for the data
they own. The breaches have also resulted in Visa and MasterCard
requiring all companies that handle payment-card information to comply
with their Payment Card Industry (PCI) data-protection standard.

"Visa is aggressively partnering with entities across the nation to
broaden adherence to these standards," the company said in its
statement regarding the Sam's Club breach. "As Visa has said before,
it's important that every entity that handles payment card information
adhere to the highest data protection standards, such as the PCI
standard, to protect the security and privacy of their customers."