Skip to main content

Costco hit by credit-card breach — what you need to do

The entrance to a Costco store in Panorama City, California.
(Image credit: Juan Llauro/Shutterstock)

Updated with more details about number and location of Costco stores affected.

At least one Costco retail warehouse has been hit by credit-card thieves, and the company is warning that customers be on alert. 

"You are receiving this letter because your payment-card information may have been compromised," reads the Costco letter, dated Nov. 5. The notification letter was first seen by Bleeping Computer.

"We recently discovered a payment-card skimming device at a Costco warehouse you recently visited," the letter adds. "Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating."

The Costco letter doesn't say which Costco warehouse or warehouses may have been affected, but the letter is signed by the vice president of Costco's Midwest operations. It's not clear how many Costco members may have been affected.

The letter wans that the crooks "may have acquired the magnetic stripe [data] of your payment card, including your name, card number, card expiration date and CVV [card verification value]." Such information can be used to "clone" the card using duplicate magnetic-stripe data.

Payment-card skimmers are devices that illegally capture the card's information. They can be grafted onto legitimate retail payment-card readers, aka PIN pads, often without the knowledge of store employees and usually so well that you can't tell anything is wrong until you look closely.

"This incident was discovered as a result of regular PIN pad inspections conducted by Costco personnel," the letter reads. 

What you need to do about this Costco credit-card theft

The company is offering affected customers one year of free identity theft protection from IDX, a company that specializes in such services. Anyone who receives the notification letter can use the enrollment code at the top of the letter to sign up (before Feb. 5, 2022) at https://app.idx.us/account-creation/protect or by calling 1-800-939-4170.

We recommend that anyone receiving the letter sign up for the IDX plan. It couldn't hurt, although you're generally a low risk of full-on identity theft from just a stolen credit-card number.

You will want to contact your credit- or debit-card issuer as soon as you receive the Costco letter, however. Doing so in a timely manner — which can be as short as two business days for debit-card holders — insulates you from major losses resulting from fraudulent charges and usually means you're on the hook for no more than $50.

Even Costco customers who haven't received such letters should check their recent credit-card statements anyway for possible unauthorized charges. And, in general, use the chip-card reader in a payment terminal rather than the magnetic-stripe reader. The chip-card method is much more secure and less likely to result in a stolen card number.

Update: Four Chicago-area Costco stores hit

Costco later told ZDNet that the card skimmers were found at four Chicago-area warehouses in August, and that fewer than 500 customers were affected, all of whom had been notified and offered free identity-theft-protection services. No skimmers were found at other retail warehouses.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.