BOSTON — BJ's Wholesale Club Inc. attracts shoppers to its stores by putting thousands of discounted products under one roof. It wasn't hard to attract cyberthieves either, with databases that amass credit card numbers in huge numbers.

The theft earlier this year of thousands of credit card records from the nation's third-largest warehouse club illustrates the potential for massive-scale identity theft whenever so much purchase-enabling information is stored in one place. It also illustrates how difficult the cleanup can be.

The Secret Service still doesn't know whether the breach was an inside job or the work of hackers, but it has made some arrests, said Tim Buckley, a Secret Service agent investigating the case.

The suspects arrested recently in the United States and abroad may have ties to a large international identity theft ring, Buckley said. He declined to say how many arrests have been made or provide further details.

Meanwhile, financial institutions are still smarting. They've had to reissue hundreds of thousands of credit cards belonging to BJ's customers as a precaution against further fraud.

The BJ's case may be the largest retail fraud of its kind based on the amount of cards reissued, experts say.

Hundreds of thousands of replacements were sent to customers across the 16 states where BJ's operates, though BJ's says the breach affected only "a small fraction" of its 8 million members.

Philadelphia-based Sovereign Bank covered about 700 fraudulent transactions from the BJ's theft and had to reissue 81,000 cards twice, at a cost of about $1 million, once in May and again in June, after a glitch occurred with the first batch, said spokeswoman Ellen Molle.

"There are some pretty heavy losses out there," said Greg Smith, president of the Pennsylvania State Employees Credit Union, which reissued cards to 14,000 of its members at a cost of $100,000.

Visa and MasterCard issuers in the United States, most of them banks, lost an estimated $820 million from fraud in 2003, up 6 percent from the previous year, according to a study by Credit Card Management, an industry magazine.

When BJ's disclosed the breach in a March 12 news release, it said it had altered its security systems and was confident customers' information was secure. BJ's, which has 150 clubs and 78 gas stations, has said the theft would have no material effect on its finances. Consumer advocacy organizations say they've received few consumer complaints.

But the company, based in Natick, Mass., now faces claims from some of the 10 to 15 banks that had to replace cards or reimburse consumers for fraudulent transactions. Investigators and bank officials have declined to disclose the monetary losses.