BOSTON (AP) – The theft of computerized credit card data from one of the nation’s biggest warehouse retail clubs is creating costly headaches for banks and leaving consumers with questions beyond whether the fraud affected them.

For consumer advocates and computer security experts, the theft at BJ’s Wholesale Club raises nagging questions as lawmakers take new steps to crack down on identity theft: How many similar security breaches occur, and how many retailers choose not to warn the public when it happens?

Some observers suspect such thefts are far more common than many realize.

“I don’t think this case was that much of an anomaly,” said Carol Baroudi, a retail and computer security systems analyst from the Arlington-based firm Baroudi Bloor. “I think the fact that we’ve actually heard about it is different … BJ’s had the guts to come forward.”

BJ’s, the No. 3 membership warehouse club nationally behind Costco and WalMart’s Sam’s Club, disclosed the theft of computerized information on some of its 8 million members’ credit and debit cards on March 12 by issuing a consumer alert via a news release. The chain said only a “small fraction” of its members appeared to have been affected.

Natick-based BJ’s now faces claims from some of more than a dozen banks that covered costs to replace hundreds of thousands of cards, reimburse consumers for fraudulent transactions, or both.

Experts say the case may have been the largest retail fraud of its kind, based on the number of cards replaced. Reissued cards were sent to customers across the 16 states where BJ’s operates.

from Maine to Florida.

Consumer advocacy organizations report receiving few consumer complaints about the BJ’s theft. But problems linger for the roughly 15 financial institutions that issued cards used for fraudulent transactions, said Secret Service investigator Tim Buckley.

Buckley and bank officials declined to disclose losses from fraud reimbursement.

Sovereign Bank covered about 700 fraudulent transactions and is considering seeking restitution from BJ’s, spokeswoman Ellen Molle said.

The bank reissued 81,000 cards twice, at a cost of about $1 million, once in May and again in early June after a glitch occurred with the first batch of cards.

“There are some pretty heavy losses out there,” said Greg Smith, president of the Pennsylvania State Employees Credit Union, which reissued cards to 14,000 of its members at a cost of $100,000.

“We do not think our members ought to bear this loss,” Smith said.

BJ’s, which has 150 clubs and 78 gas stations, disclosed in a June 9 regulatory filing that the claims it had received to date would not “have a material adverse effect” on its finances. Its stock has recently remained stable in the $20 to $25 range.

The company said it was notified by credit card issuers of fraudulent transactions “at non-BJ’s locations.” A computer security firm concluded the theft did not involve BJ’s main database for card transactions, but likely was a decentralized breach “involving club-level systems.”

BJ’s spokeswoman Amy Russ declined further comment.

No arrests have been made, and Secret Service investigators remain unsure whether the crime was an inside job or the work of hackers. They believe some suspects may be tied to a larger identity theft ring with international ties.

“We cannot pinpoint exactly how the accounts have been compromised,” Buckley said. “Any talk of a hacker or hackers is speculative.”

Some impetus to crack down further on identity theft may come from industry, since credit card issuers generally reimburse consumers for losses from fraudulent transactions, said Deirdre Cummings, consumer program director for the Massachusetts Public Interest Research Group.

Congress and state legislatures, meanwhile are strengthening identity theft laws and penalties – steps inspired, in part, by the increase in identity theft cases and research indicating that most thefts originate with workers stealing information from their employers.

A California law that took effect last year is believed to be the first to require banks and other companies to notify customers when a breach of customers’ information is suspected. California also requires businesses to limit how and when they display consumers’ Social Security numbers.

A bill that cleared Congress June 25 establishes a new crime of aggravated identity theft – a change that would lead to lengthier sentences – and directs the U.S. Sentencing Commission to stiffen punishment for insider identity theft.

A Michigan State University study to be published later this year found as many as 70 percent of all identity theft cases originate with information stolen in a workplace, rather than through computer hacking, home robberies or mail fraud.

“I think it probably does happen more than businesses divulge,” said the study’s author, Judith Collins, a criminal justice professor. “They’re fearful of losing customers. The first thing customers want to do when they hear about this is change banks, change credit cards and so on.”

Another survey, released last month by the Gartner market research firm, found a surge in unauthorized transfers from checking accounts over the past year. According to the survey, nearly 2 million Americans indicated their checking accounts had been targeted, with losses exceeding $2 billion.

“When you consider the technical aspects of how it can be done, it’s no wonder that identity theft is growing,” said Robert Richardson of the Computer Security Institute, an organization for security professionals. “I can’t believe there won’t be a critical-mass moment where the government simply has to take aggressive action, although it’s not clear what that action would be.”

—

On the Net:

BJ’s Wholesale Club, including consumer alert about security breach:

http://www.bjs.com/

AP-ES-07-02-04 1216EDT