MADISON, Wis. - CUNA Mutual Group and 163 credit unions have filed suit in Massachusetts Superior Court against B.J.'s Wholesale Club and against the corporation's acquiring bank, Fifth Third Bank, over losses that the insurer alleges it and the credit unions suffered from a card security breach. BJ's is headquartered in Massachusetts and Fifth Third in Ohio. The case stems from an incident in March of 2004 in which the retailer or its processor or both had computer systems hacked by thieves who were able to steal not only card numbers, but also other card account details from, the suit alleges, both of the card's data tracks. This is the second CU case against B.J.'s. Pennsylvania State Employees CU still has an ongoing lawsuit in play. Capturing and keeping this level of card information after transactions not only violates Visa and MasterCard rules, the suit alleges but, when that data was compromised, meant that the credit unions had to close accounts and reissue plastics in order to deal with it. "We intend to recover losses our policyholders and CUNA Mutual have already experienced as a result of the BJ's Wholesale card compromise. These include fraud losses that credit unions have incurred and been unable to collect, blocking costs incurred for the affected cards, and the enormous expenses associated with the reissue of all affected cards," said Marc Krasnick, senior vice president for CUNA Mutual. The list of 163 includes both small and large credit unions, including credit unions as large as the $4 billion American Airlines FCU, headquartered in Dallas and the $23 billion Navy Federal Credit Union, headquartered in Merrifield, Va. The sum total of losses the suit is trying to recover, so far, is $4.5 million, but Krasnick emphasized that data collection in the case is continuing. "BJ's failed to secure properly the Visa and MasterCard credit card magnetic stripe information and B.J's retained and stored that information in direct violation of the [Visa and MasterCard's] Card Operating Regulations," the suit alleged, adding that a substantial number of credit union members had used their cards at B.J.'s and thus had their card data put at risk. CUNA Mutual and the credit unions have asked for a jury trial to weigh their complaint but Krasnick said the insurer and the credit unions would be open to having the matter settled out of court, though Krasnick doubted that would be the case. "Of course, a settlement without going to trial is always a better approach from a couple of points of view, but somehow I don't believe we are going to be able to see that happy result in this case," Krasnick said. Complicating Factors One reason for Krasnick's pessimism might be the relative difficulty a court might have in assessing the extent of the practices that led to the security breach and weighing responsibility for it. For example, although CUNA Mutual's suit does not name either Visa or MasterCard directly, the suit does seek to have the two card associations take more steps to make sure its acquiring banks and merchants obey its own rules. The credit union suit suggests that these sorts of breaches are widespread across retailers and that credit unions have to bear the wrath of their members whose card security is being breached. But neither Visa nor MasterCard has been forthcoming, in an explicit manner, about how many retailers might be holding on to too much card information, or why they might be doing so. Krasnick noted that even though the suing institutions have had discussions with the two card brands, they have had to discern the card brands' concern from their actions. "We know that Visa and MasterCard have formally notified 30 major software manufactures who manufacturer the point of sale software that many retailers use and told them that their software is not in compliance with their regulations," Krasnick said. "And we know they care about fraud, and this is a significant fraud risk." The suit is also silent on why retailers might have wanted to keep the card information, and previous retail executives have denied that retailers, in general, are even aware that they are keeping track of the information. Mallory Duncan, senior vice president with the National Retail Federation has previously been surprised at CUNA Mutual's suggestion that the problem is very widespread. He maintained that most retailers are very cautious about what card data they hold onto. "Certainly no responsible retailer wants to hold on to the data from a card's security track," Mallory said, "but many retailers hold onto the transaction data from a given transaction just in case something happens with that transaction where they need that record." Mallory pointed out as well that as individual retail chains move into their own cards and gift cards they also become steadily more aware of and cautious about security. "Retailers are definitely seeking to do the right thing," he said. CUNA Mutual had no specific timetable for when the case might move forward. -

[email protected]