Card skimmers eyed in Sam's Club data theft

A victim of the recent Sam's Club security breach suggests that fraudsters may have stolen credit card information by using illegal "card-skimming" devices attached to the pumps at the company's gas stations. The fraudulent activity may also have been going on for a longer period than that suggested by the wholesale giant, and it may affect thousands of people.

Sam's Club, a division of Bentonville, Ark.-based Wal-Mart Stores Inc. , said in a brief Dec. 2 statement that it was investigating a security breach that had exposed the credit card data of an unspecified number of customers who bought fuel at its gas stations between Sept. 21 and Oct. 2. The company said it was alerted to the problem by credit card issuers whose customers were complaining of fraudulent charges on their statements.

Apart from saying that "electronic systems and databases used inside its stores" were not involved, Sam's Club officials have refused to disclose what happened. They have not returned repeated telephone calls for comment.

The breach prompted the Alabama Credit Union (ACU) to block and reissue debit cards to about 500 of its customers after it learned of the problem last week. The ACU was alerted to the breach by Credit Union National Association Inc. , according to Kayce Bell, chief operating officer at the Tuscaloosa, Ala.-based credit union.

The fact that one institution alone had to block so many cards suggests that the breach may have affected a lot more than the 600 or so victims Sam's Club said it knows about, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn.

In fact, ACU President Steve Swofford, in comments posted on the credit union's Web site, said that the breach affects "many, many cardholders, card issuers and financial institutions.