Costco discloses payment card breach at store

Dan Berthiaume
Senior Editor, Technology
Dan Berthiaume profile picture
Costco had a security breach at a POS terminal.

Costco Wholesale Corp. has been victimized by criminals using what might be considered “legacy” hacking technology.

The Issaquah, Wash.-based warehouse club retailer, which had more than 105.5 million members at the end of 2020, is using a form letter to notify select customers that their payment card information may have been compromised. The letter, sent from Costco VP of Midwest region operations Kevin Green informs recipients that a payment card skimming device was discovered during “regular pin pad inspections conducted by Costco personnel” at a store they recently  visited.

Customers receiving the alert swiped their payment card at the affected POS terminal during the time the skimming device may have been operating. As a result, unauthorized parties may have been able to obtain information from the magnetic stripe of payment cards, including customer name, card number, card expiration date, and card verification value (CVV) security code.

The letter also advises recipients to check their bank and/or credit card statements for fraudulent activity and contact their financial institutions. Costco is additionally offering potentially affected customers the option to enroll in free identity theft protection services from IDX and a $1 million insurance policy. Costco says it is cooperating with law enforcement authorities to investigate the breach.

According to Bleeping Computer, which initially reported news of the breach and made the form letter available online, Costco customers have been complaining about unauthorized transactions on their payment cards since February 2021. Costco, which did not immediately respond to a Bleeping Computer request for comment, has not publicly specified when this payment card skimmer incident took place.

While the “traditional” POS skimming attack was commonplace in the 2010s, in the past several years retail hackers have switched their focus to cyberattacks, which offer advantages such as being harder to detect via routine inspection and remotely launched. According to the 2021 Verizon Data Breach Investigations Report, the top cyberattack patternsfound in the retail sector now stem from system intrusion, social engineering (such as phishing), and basic web application attacks.

In commentary provided to Chain Store Age, Armen Najarian, chief identity officer at Outseer (an RSA company), said this skimming breach underscores the urgency for better payment security anywhere a transaction happens.

"As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes," said Najarian. "All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike."

Costco currently operates 817 warehouses, including 565 in the United States and Puerto Rico, 105 in Canada, 39 in Mexico, 30 in Japan, 29 in the United Kingdom, 16 in Korea, 14 in Taiwan, 13 in Australia, three in Spain, and one each in Iceland, France, and China. Costco also operates e-commerce sites in the U.S., Canada, the United Kingdom, Mexico, Korea, Taiwan, Japan, and Australia.