MADISON, Wis. - CUNA Mutual Group and 163 credit unions havefiled suit in Massachusetts Superior Court against B.J.'s WholesaleClub and against the corporation's acquiring bank, Fifth ThirdBank, over losses that the insurer alleges it and the credit unionssuffered from a card security breach. BJ's is headquartered inMassachusetts and Fifth Third in Ohio. The case stems from anincident in March of 2004 in which the retailer or its processor orboth had computer systems hacked by thieves who were able to stealnot only card numbers, but also other card account details from,the suit alleges, both of the card's data tracks. This is thesecond CU case against B.J.'s. Pennsylvania State Employees CUstill has an ongoing lawsuit in play. Capturing and keeping thislevel of card information after transactions not only violates Visaand MasterCard rules, the suit alleges but, when that data wascompromised, meant that the credit unions had to close accounts andreissue plastics in order to deal with it. "We intend to recoverlosses our policyholders and CUNA Mutual have already experiencedas a result of the BJ's Wholesale card compromise. These includefraud losses that credit unions have incurred and been unable tocollect, blocking costs incurred for the affected cards, and theenormous expenses associated with the reissue of all affectedcards," said Marc Krasnick, senior vice president for CUNA Mutual.The list of 163 includes both small and large credit unions,including credit unions as large as the $4 billion AmericanAirlines FCU, headquartered in Dallas and the $23 billion NavyFederal Credit Union, headquartered in Merrifield, Va. The sumtotal of losses the suit is trying to recover, so far, is $4.5million, but Krasnick emphasized that data collection in the caseis continuing. "BJ's failed to secure properly the Visa andMasterCard credit card magnetic stripe information and B.J'sretained and stored that information in direct violation of the[Visa and MasterCard's] Card Operating Regulations," the suitalleged, adding that a substantial number of credit union membershad used their cards at B.J.'s and thus had their card data put atrisk. CUNA Mutual and the credit unions have asked for a jury trialto weigh their complaint but Krasnick said the insurer and thecredit unions would be open to having the matter settled out ofcourt, though Krasnick doubted that would be the case. "Of course,a settlement without going to trial is always a better approachfrom a couple of points of view, but somehow I don't believe we aregoing to be able to see that happy result in this case," Krasnicksaid. Complicating Factors One reason for Krasnick's pessimismmight be the relative difficulty a court might have in assessingthe extent of the practices that led to the security breach andweighing responsibility for it. For example, although CUNA Mutual'ssuit does not name either Visa or MasterCard directly, the suitdoes seek to have the two card associations take more steps to makesure its acquiring banks and merchants obey its own rules. Thecredit union suit suggests that these sorts of breaches arewidespread across retailers and that credit unions have to bear thewrath of their members whose card security is being breached. Butneither Visa nor MasterCard has been forthcoming, in an explicitmanner, about how many retailers might be holding on to too muchcard information, or why they might be doing so. Krasnick notedthat even though the suing institutions have had discussions withthe two card brands, they have had to discern the card brands'concern from their actions. "We know that Visa and MasterCard haveformally notified 30 major software manufactures who manufacturerthe point of sale software that many retailers use and told themthat their software is not in compliance with their regulations,"Krasnick said. "And we know they care about fraud, and this is asignificant fraud risk." The suit is also silent on why retailersmight have wanted to keep the card information, and previous retailexecutives have denied that retailers, in general, are even awarethat they are keeping track of the information. Mallory Duncan,senior vice president with the National Retail Federation haspreviously been surprised at CUNA Mutual's suggestion that theproblem is very widespread. He maintained that most retailers arevery cautious about what card data they hold onto. "Certainly noresponsible retailer wants to hold on to the data from a card'ssecurity track," Mallory said, "but many retailers hold onto thetransaction data from a given transaction just in case somethinghappens with that transaction where they need that record." Mallorypointed out as well that as individual retail chains move intotheir own cards and gift cards they also become steadily more awareof and cautious about security. "Retailers are definitely seekingto do the right thing," he said. CUNA Mutual had no specifictimetable for when the case might move forward. -

[email protected]