Shostack + Friends Blog Archive


Sam's Club, CC #'s and more?, they're not saying

American Banker(12/7/2005) reports {link to no longer works} [warning: paywall] on the tight-lipped reaction of Sam’s Club, MasterCard, and Visa to a recent data breach involving credit and debit card mag stripe data from Sam’s Club gas stations. The affected cards seem to have been primarily from two issuers, and hundreds of actual frauds have already occurred. Nobody is talking about how many credit and debit card numbers may actually have been revealed, but according to one banker “frauds occurred in Illinois, New York, Maryland, California, Spain, and Korea”.
A little fair-use sample:

A payment-card information breach at Wal-Mart Stores Inc.’s Sam’s Club division likely exposed the data of many more customers beyond the several hundred fraud victims cited by the retailer in a statement late last week.
Wal-Mart, MasterCard International, and Visa U.S.A. all declined to provide details beyond brief statements, including any estimate of the number of customers whose account data had been exposed. Sam’s Club said the breach left “approximately 600” known fraud victims in its wake. But interviews with numerous bankers the card companies have contacted about the incident, as well as other industry observers, make clear that the number of data files compromised was probably much higher.
Executives at issuing banks say Visa sent them notifications last week that certain accounts were at risk as a result of the breach. Visa’s memo, which was sent before the retailer’s disclosure, did not mention Sam’s Club by name, but most of the issuers said they believed it concerned the Sam’s Club breach. Some issuers also said they received a notice from MasterCard.
Visa declined to tell [a banker interviewed for the story] the number of accounts that had been exposed, and that not knowing the full extent had made it difficult for his company to decide whether to reissue the affected cards. “I just want to know the breadth and scope of this thing,” he said, to “make a business decision” about whether to reissue the cards or to monitor the accounts more closely.

Paging Bob Sullivan….Bob Sullivan to the red phone, please…
Update: Sam’s Club press release [link to no longer works] from 12/2/2005.

2 comments on "Sam's Club, CC #'s and more?, they're not saying"

  • ErnieGs says:

    How did this breach occur (hacked, lost backups etc)?
    Identity Theft/Fraud is not being taken seriously enough by the governing bodies (FTC, FBI and the credit agencies). They consider the current reported losses at 5 billion dollars a drop in the bucket when compared to the financial industries 1 trillion dollar budget.
    Unfortunately, identiy theft affects those least likely to defend against it – our elderly.
    Cleaning up after our own bankruptcy/delinquency mess is bad enough, but, with the error rate of 80% at the credit agencies it is so time consuming and costly as to make it next to impossible to clean up one’s credit history.
    Sorry for the dump, but I have so much more to say!!!

  • kathy skinner says:

    Are the fraudualant transaction coming in from Japan?

Comments are closed.