Costco Wholesale store exterior sign showing payment data breach from credit card skimmer

Credit Card Skimmer at Costco Compromises Customers’ Payment Information

U.S. retail giant Costco warned customers that their credit card information was likely compromised after making purchases at one of its outlets.

The potential compromise originated from a credit card skimmer that unauthorized suspects had installed on a payment terminal at one of Costco’s outlets.

Costco indicated that it removed the device and contacted law enforcement agencies to expedite investigations after its personnel discovered the skimmer.

Based in the Issaquah suburb of Seattle, Washington, Costco ranks tenth out of the U.S. Fortune 500 companies by revenue. The members-only vendor of prime beef, rotisserie chicken, wine, and organic foods is also the fifth largest retailer globally with 810 outlets across Asia, Europe, and the Americas.

Credit card skimmer potentially extracted sensitive payment information

Costco sent data breach notification letters on November 5, 2021, to potentially affected customers who shopped at a store where unknown suspects had installed a credit card skimmer.

“We recently discovered a payment card skimming device at a Costco warehouse you recently visited,” said in the letter.

“Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating.”

Costco employees discovered the credit card skimmer while inspecting the company’s terminals.

Consequently, the company informed its customers that the unauthorized suspects operating the credit card skimmer could have “acquired the magnetic stripe of your payment card, including your name, card number, card expiration date, and CVV.”

Erich Kron, Security Awareness Advocate at KnowBe4, suggested that the cybercriminals also potentially stole the victims’ PIN numbers.

“Because Costco does not accept all major credit cards, many members have to process the payment as a debit card, allowing the cybercriminals that attached the skimmer to not only get the card number but also the PIN number,” Kron said.

Impact of the breach

Unfortunately, the retailer did not disclose the number of the affected customers or the store name.

The company advised its customers to monitor their credit card statements closely for suspicious activity or fraudulent charges. Additionally, Costco offered 12 months of identity theft protection from IDX, credit monitoring services, and a $1 million insurance guarantee for refunds.

Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, emphasized the damage a credit card skimmer could cause at a high traffic terminal.

“If undetected for even a month, it can compromise thousands of credit cards,” Clements said. “Costco didn’t say how routine the point-of-sale terminal checks that detected the skimmer occur, but with the scale of damage that can result from even one skimmer, retail organizations need to make it a frequent procedure.”

Meanwhile, several Costco customers had complained on social media about fraudulent transactions charged to their cards.

One Twitter user claimed in February that their family member’s card was compromised at Costco’s outlet in Inglewood and charged $3,000 for products they hadn’t purchased.

Magecart-style and hardware credit card skimmers have become popular with cybercriminals targeting online and brick-and-mortar store shoppers.

Armen Najarian, Chief Identity Officer at Outseer (an RSA company), indicated that the breach underscored the need for better payment security.

“As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes.”

“All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike.”

Customers are highly dependent on vendors and payment processors to protect their credit card information from hackers.

However, they can take several steps to ensure that hackers do not steal their payment card information. Shoppers should avoid using their credit cards in highly secluded, dark terminals and those without proper physical security monitoring systems like CCTV cameras.

They should also visually analyze payment terminals for attached skimming or illegal surveillance devices. Some credit card skimmers are loosely attached over the original card readers such that they could be easily pulled out by pulling. Shoppers should look for attachments like adhesive tapes and exposed cables.

However, Clements warned that many skimming devices have become more advanced, smaller, and harder to detect.

“Shimmers or devices used to clone chip-based credit cards, are extremely small and thin, and can be nearly impossible to spot without disassembling the reader completely.”