[BreachExchange] Costco discloses data breach after finding credit card skimmer

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Fri Nov 12 14:30:31 EST 2021


https://www.bleepingcomputer.com/news/security/costco-discloses-data-breach-after-finding-credit-card-skimmer/

Costco Wholesale Corporation has warned customers in notification letters
sent this month that their payment card information might have been stolen
while recently shopping at one of its stores.

The retail giant (also known as Costco Wholesale and Costco) is an American
multinational that operates a large chain of membership-only retail stores,
the fifth-largest retailer worldwide, and the tenth-largest corporation in
the US by total revenue according to Fortune 500 rankings.

It has 737 warehouses worldwide, and it also operates e-commerce websites
targeting multiple world regions, including the Americas, Europe, and Asia.

Skimmer device planted at Costco warehouse
Costco discovered the breach after finding a payment card skimming device
in one of its warehouses during a routine check conducted by Costco
personnel.

The company removed the device, notified the authorities, and is now
working with law enforcement agents who are investigating the incident.

"We recently discovered a payment card skimming device at a Costco
warehouse you recently visited," Costco told potentially impacted customers
in breach notification letters.

"Our member records indicate that you swiped your payment card to make a
purchase at the affected terminal during the time the device may have been
operating."

Customer payment info likely stolen
Costco added that individuals impacted by this incident might have had
their payment information stolen if those who planted the card theft device
were able to gain access to the info before the skimmer was found and
removed.

"If unauthorized parties were able to remove information from the device
before it was discovered, they may have acquired the magnetic stripe of
your payment card, including your name, card number, card expiration date,
and CVV," Costco revealed.

The retailer advised the customers to monitor their bank and credit card
statements for fraudulent charges and report suspicious transactions to
relevant financial institutions.

Data breach notification letters sent to affected individuals did not
disclose the total number of impacted customers or the warehouse location
where the skimmer device was found.

While the company didn't reveal the exact timeline of the incident, Costco
customers have complained about unauthorized transactions [1, 2, 3] on
their payment cards since at least February [4].
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211112/d3cd37f7/attachment.html>


More information about the BreachExchange mailing list