I admit it, I'm guilty.
Twice guilty, actually. When the news broke early last year that several banks had embarked on the largest-ever reissuance of credit cards in response to the theft of credit card information stored by BJ's Wholesale Club (NYSE:BJ), I was first guilty of indifference. My card info hadn't been stolen. And this was the first time I had heard of such an incident, so I figured it was (a) a fluke, and (b) a fluke not relevant to me.
Then the floodgates opened. Retail Ventures (NYSE:RVI) and Polo Ralph Lauren (NYSE:RL) suffered similar apparent hacks. ChoicePoint (NYSE:CPS) and Reed Elsevier (NYSE:ENL) were tricked into releasing private data on consumers to one or more rings of con men. Citigroup (NYSE:C) and Bank of America (NYSE:BAC) "lost" data tapes containing account information on millions of their customers. It soon became apparent that the entire system of data recording, transfer, and resale was under attack. Not to put too fine a point on it, all heck was breaking lose.
At that point, I became secondarily guilty of lumping all of these guys together into one big, indifferent corporate monolith tossing our personally identifiable information about with abandon. As the facts -- and even just the alleged facts -- of last week's published consent decree between the Federal Trade Commission and BJ's make clear, however, it's not quite that simple.
First, a brief rundown. BJ's didn't want the FTC to prosecute over this data breach. With irate customers on one side, and irate credit card issuers on the other, all of them waving lawsuits, the last thing BJ's needed was federal prosecutors assailing it. So the company agreed to beef up its procedures for protecting customer data and to hire a consultant to certify that its new security was up to snuff.
At the same time, the FTC seemed to have a pretty weak case. For one thing, the commission really had to stretch the definition of the crime it was alleging: "unfair trade practices." The allegation that BJ's security was a bit too much like a colander was a bit dodgy. Noting that BJ's collects credit card information at the register, transfers that information to credit card issuers for authorization, and has an apparently unrelated wireless network in its stores for inventory purposes, the FTC made a logical leap: Since a bunch of BJ's customers had had their cards duplicated and used for fraudulent purchases, the commission decided, someone hacked into the company's credit card system through that wireless inventory network.
Pretty clever. But is that really what happened? I don't know. It's certainly plausible, but that doesn't make it certain. What I do know, now that I've read the actual FTC complaint, its translation into English in a press release, and BJ's response to that press release, is that this case wasn't quite that open-and-shut. Consider also that this was the first really high-profile hack of a retailer to hit the news, and I'm now prepared to cut BJ's some slack on this one. I think the consent decree, and BJ's promise to be more careful, was the correct solution here.
That said, BJ's has now been officially "fooled once" -- whether by an actual hack attack, or just the appearance of one. The onus is now on BJ's to protect its customers and its investors -- in short, to make sure it doesn't get fooled again.
Fool contributor Rich Smith owns no shares of any company mentioned in this article.
