The credit card theft that hit hundreds of attendees at conventions in Boston this fall could be much larger and include other victims throughout the city, police investigating the crime said Wednesday.
Boston Police Detective Steven Blair said the thefts were widespread and not limited to people who attended the conferences at the Boston Convention & Exhibition Center in October and November.
“It’s extensive,” Blair said. “It’s not just focused on the Seaport area,” where the convention center is located.
Based on initial interviews with credit card companies, Blair said the tally of victims could be “hundreds” more than those who have already reported unauthorized or fraudulent charges on their credit cards after visiting Boston.
So far around 300 people from two conferences, the American Society of Human Genetics meeting in October and the American Public Health Association gathering in November, told organizers their credit cards had been compromised.
‘We wish to express how deeply sorry we are that the guests of Boston fell victim to this crime.’
It is unclear how the thefts occurred, but Blair said the scope of the crime suggests the thieves hacked into the computer system of a business or businesses in Boston and captured the data that way.
“Somebody’s computer got compromised,” Blair said. “It’s not one individual working at a restaurant skimming.”
So far the operator of the convention center, the adjacent hotel where many conference guests stayed, and several local restaurants and bars they patronized all said the data breach does not appear to have occurred within their systems.
On Wednesday, the Massachusetts Convention Center Authority sought to reassure a group of convention planners scheduled to meet in Boston in January that the thefts did not take place inside the Boston facility, but rather perhaps at nearby restaurants and businesses.
The authority also disclosed that a dozen of its employees were also victimized by the thefts.
“We were distressed to hear just how many attendees were impacted by these thefts, and wish to express how deeply sorry we are that the guests of Boston fell victim to this crime,” the authority wrote in its letter, a version of which was also posted on its website.
In the weeks after the Boston conventions, victims reported that their cards were fraudulently used across the country at clothing shops and other businesses, and at drug stores and big box retailers to buy gift cards that can be resold for cash.
Victims told event organizers that while in Boston they primarily used their credit cards in nearby restaurants and businesses, such as M.J. O’Connor’s Restaurant and the City Bar, both of which are inside the Westin Boston Waterfront Hotel.
The Briar Group, which owns those businesses, said its security consultants have to date found no problems with its systems. The Westin also said it found no evidence of a breach in its systems.
In addition to the Boston Police probe, the thefts are being investigated by the state attorney general’s office and the US Secret Service. Police have reached out to the major credit card companies to help retrace the steps of potential victims and pinpoint where they used their credit cards.
Meanwhile, city leaders sought to head off any damage the data thefts might inflict on Boston’s booming tourism industry.
Mayor-elect Martin J. Walsh promised Wednesday night that police and the convention center will “get to the bottom of it.” He added: “I’m not worried about Boston. Boston is a safe city.”
Separately, in a letter posted on the authority’s website and sent to clients, executive director of the convention authority James Rooney sought to assure conference attendees that Boston’s convention halls have extensive information security systems.
The authority, tourism officials, and the police, “have always been deeply invested in the overall safety of conventioneers that do business in our city and will continue to be vigilant in this area,” Rooney wrote.