First reported by Bleeping Computer, the letter says payment card information was compromised through a card skimming device at certain Costco locations.
“We recently discovered a payment card skimming device at a Costco warehouse you recently visited. Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating,” Costco said in the letter.
“If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date and CVV. We recommend that you check your most recent bank and or credit card statement, related to the card above, for charges unauthorized by you.”
The company said they discovered the card skimmer after an inspection of its pin pads and said law enforcement has been contacted.
The letter added that even if victims have not seen any suspicious charges, they should still call their bank to “discuss possible options for avoiding potential problems in case” their card was inappropriately used.
Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy and ID theft recovery services.
The letters come after people wrote on Twitter and Reddit that they had discovered fraudulent charges on their Costco cards and accounts. Some said they began noticing the charges after using their card at Costco gas stations.
“Noticed a fraudulent charge on my credit card, so I called to get it handled. Guy on the phone asked if I pay at the pump usually for gas and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes,” one Reddit user wrote.
“That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn’t even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!”
Card skimmers are a persistent problem on both physical terminals and online e-commerce portals. The problem is so common that Cloudflare created a web security tool to prevent Magecart-style attacks in March.
Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide.