Cyber Incident Victim: Costco Wholesale Corporation

Costco Wholesale Corporation disclosed a payment card data breach in November 2021 after discovering a skimming device during routine checks at one of its retail warehouses. The company identified the illicit device through internal personnel inspections, though the specific warehouse location remained undisclosed. Upon discovery, Costco immediately removed the skimmer, notified law enforcement agencies, and initiated collaboration with investigators. Breach notification letters sent to affected customers in November indicated that individuals who swiped payment cards at the compromised terminal during the device's operational period were at risk. The skimmer potentially captured magnetic stripe data including cardholder names, card numbers, expiration dates, and CVV security codes. Costco warned that unauthorized parties could have extracted this information before device removal, enabling fraudulent transactions.

The incident impacted customers who visited the unidentified warehouse during the skimmer's active period, though Costco did not publicly disclose the total number of affected individuals. Customers reported unauthorized charges on payment cards dating back to at least February 2021, though the company's communications did not specify the exact timeframe of the skimmer's installation or operation. Costco directed potentially impacted individuals to monitor bank and credit card statements for suspicious activity and report fraudulent transactions to financial institutions. No e-commerce systems or digital payment platforms were implicated, as the breach stemmed exclusively from physical card skimming at a single warehouse terminal. Law enforcement investigations remained ongoing at the time of disclosure, with no public attribution of responsibility for planting the device. The company did not comment on whether enhanced point-of-sale security measures were implemented following the incident.