Under the settlement, Natick, Mass.-based BJ's must implement a comprehensive infosec program and obtain audits by an independent third-party security professional every other year for 20 years. BJ's operates 150 warehouse stores and 78 gas stations.
The FTC accused BJ's of not taking appropriate steps to secure sensitive customer information, including: Failing to encrypt the data; creating unnecessary risks by storing the information for up to 30 days in violation of bank security rules; and storing the data in files that could be accessed using commonly known default user IDs and passwords.
BJ's also failed to implement security to prevent unauthorized wireless connections to its networks or to take steps to detect unauthorized network access, according to the FTC.
The FTC charged that BJ's failure to secure customer data was an unfair practice that violated federal law.
According to the FTC complaint, millions of dollars in fradulent purchases were made using counterfeit copies of credit and debit cards used at BJ's stores. The cards had the same personal information that BJ's had collected from the magnetic strips of the cards. Banks, which were forced to cancel and re-issue thousands of credit and debit cards, have filed lawsuits against BJ's.