Hundreds of attendees at two large conventions in Boston this fall have reported that their credit card information was stolen and was used to purchase goods around the country and overseas.
Though it is unclear how the thefts occurred, many of the victims say they had used their credit cards in area restaurants and businesses, especially in the Seaport District, where the Boston Convention & Exhibition Center is located.
Convention officials and local businesses have said they contacted Boston and State Police, as well as the Secret Service, which also investigates data theft.
Victims said their credit card numbers were fraudulently used at a hearing aid company in North Carolina, at women’s clothing stores in New York City, and in drugstores and big box retailers around the country to buy gift cards that can be resold for cash.
“This is the first time we’ve had this kind of thing happen,” said Georges Benjamin, executive director of the American Public Health Association, which hosted 13,000 conventioneers in Boston in early November. So far about 100 attendees have told the association their cards were fraudulently used — in one case to try to make a $100,000 purchase.
“It’s enough people that clearly something was going on,” Benjamin said.
Meanwhile the American Society of Human Genetics annual conference, which hosted 8,000 attendees at the convention center in October, said some 200 people reported unauthorized charges after visiting Boston.
Among those is Edward McCabe, the chief medical officer for the March of Dimes, who reported several unauthorized charges at overseas locations after attending the human genetics conference.
Based in White Plains, N.Y., McCabe said the incident “will make me a little more cautious around Boston.”
Though the public authority that runs the convention center said the data breach did not occur at its facility, the timing of the thefts is inauspicious for the agency. In January, the Boston facility will host the annual meeting of convention planners — the professionals who advise associations and large groups where to hold their events.
“I hope they have this solved before they bring 3,000 convention planners to the city,” said Pauline Minhinnett, director of meetings for the Human Genetics society.
But the data breach even claimed as victims several employees of the Massachusetts Convention Center Authority , said spokesman Mac Daniel.
The authority began investigating around Thanksgiving after receiving complaints from the two conference groups, Daniel said, and so far has concluded the breaches did not happen inside the convention hall.
“After running internal checks and working with our customers, we found that no alleged theft occurred in any MCCA facility and appeared to occur at bars and restaurants across the city,” Daniel said in a statement.
The Westin Boston Waterfront Hotel, which is connected to the convention center and provided accommodations to many attendees, also said the breaches did not happen within its systems, general manager Michael Jorgensen said.
“We feel bad because they are our hotel guests,” Jorgensen said. “But it did not come from here.”
Conference organizers said many victims reported eating or ordering drinks at two businesses inside the Westin — M.J. O’Connor’s Restaurant and City Bar. But the owner of those businesses, the Briar Group, said its security consultants have found no problems with its systems.
“To date, they’ve indicated there has been no breach,” said Kimberley Ring, a spokeswoman for the Briar Group
The company, which owns 10 restaurants in the Boston area, complies with the security standards outlined by the payment card industry, a consortium of major credit card firms, Ring said.
In 2011, the Briar Group paid a $110,000 settlement to the Massachusetts attorney general over allegations it failed to protect diners’ personal information after a security breach. Malware, or malicious software, was apparently installed on Briar’s systems that allowed hackers access to credit and debit card information, including names and account numbers.
At the time of the settlement, the Briar Group said it acted aggressively after it became aware of the breach.
Credit card theft is common, costing millions of American consumers and businesses billions of dollars. Since June, companies have reported 10 data breaches that collectively affected the credit card and social security numbers of more than 9,400 Massachusetts residents.
Massachusetts was home to one of the largest and most notorious such thefts on record — the 2007 hacking of retailer TJX Cos., in which thieves stole at least 130 million customer credit and debit card numbers.
That breach was estimated to have cost the company around $200 million.
One of the conspirators in the ring behind that and other large data breaches, Albert Gonzalez, received a 20-year sentence in 2010 for his part in the thefts.
Credit card theft occurs in several forms.
Some is old-fashioned paper-based theft, when an employee or outsider gets their hands on physical credit card records.
More often, breaches take place through malware that can be sent as a link in an e-mail; some companies have been infiltrated by thieves posing as software vendors who talk employees into downloading what they say are patches to fix software applications.
A device called a keystroke logger, which looks like a flash drive and can be inserted into a USB port on a machine that processes credit cards, can also mine data, said Chris Zoladz, founder of Navigate LLC, an information protection and privacy consultancy in Germantown, Md.
Convention-goers are not more at risk than other consumers, Zoladz added, although they eat out more often.
But restaurants are particularly vulnerable to credit card theft because servers walk away with diners’ cards. Wayward employees can simply write down the credit card information or use a device called a skimmer to capture not only the name, card number, expiration date, and security code, but the information in the magnetic stripe as well.
This gives thieves the ability to manufacture new cards that are indistinguishable from the originals, Zoladz said.
“Any time a credit card is pulled out and presented to somebody, and put online for that matter,” Zoladz said, “any time it’s used, it’s at risk.”