Costco

The Washington State Office of the Attorney General disclosed a data breach at Costco, where unauthorized access occurred between June 19, 2014, and July 15, 2015, exposing the personal and financial data of approximately 29,425 residents. The compromised information included customer names, email addresses, credit card details (security codes and expiration dates), and potentially other sensitive payment data. While the exact method of intrusion was not specified, the breach posed significant risks of fraud, identity theft, and financial exploitation for affected individuals. Costco initiated notifications to impacted customers on September 21, 2015, but the prolonged exposure period (over a year) heightened concerns about the extent of misuse during that time. The incident underscored vulnerabilities in Costco’s data protection measures, particularly in safeguarding payment card information, which is a high-value target for cybercriminals. No evidence suggested ransomware involvement, but the scale and nature of the leaked data especially credit card security codes elevated the potential for direct financial harm to customers.

Source: https://www.atg.wa.gov/data-breach-notifications | https://data.wa.gov/resource/sb4j-ca4h.json?id=9587

TPRM report: https://www.rankiteo.com/company/costco-weareit

"id": "cos038091825",
"linkid": "costco-weareit",
"type": "Breach",
"date": "6/2014",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '29,425',
                        'industry': 'Retail',
                        'location': 'United States (Washington State residents '
                                    'affected)',
                        'name': 'Costco Wholesale Corporation',
                        'type': 'Retail Corporation'}],
 'customer_advisories': 'Notifications sent to affected individuals on '
                        'September 21, 2015',
 'data_breach': {'number_of_records_exposed': '29,425',
                 'personally_identifiable_information': ['names',
                                                         'email addresses'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['personal identifiable '
                                              'information (PII)',
                                              'payment card information']},
 'date_publicly_disclosed': '2015-09-21',
 'description': 'The Washington State Office of the Attorney General reported '
                'that Costco experienced a data breach due to unauthorized '
                'access from June 19, 2014, to July 15, 2015, affecting '
                'approximately 29,425 residents. The breach may have '
                'compromised customer names, email addresses, and credit card '
                'information types, including security codes and expiration '
                'dates.',
 'impact': {'data_compromised': ['customer names',
                                 'email addresses',
                                 'credit card information (including security '
                                 'codes and expiration dates)'],
            'identity_theft_risk': 'High (PII and payment data exposed)',
            'payment_information_risk': 'High (credit card details including '
                                        'security codes and expiration dates)'},
 'references': [{'source': 'Washington State Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': 'Washington State '
                                                       'Office of the Attorney '
                                                       'General'},
 'response': {'communication_strategy': 'Notification to affected individuals '
                                        'began on September 21, 2015'},
 'title': 'Costco Data Breach (2014-2015)',
 'type': 'Data Breach'}