Barnes & Noble Inc. bookstores has informed federal law enforcement authorities that "a sophisticated criminal effort" has potentially exposed customers' credit and debit card information to hackers who tampered with PIN pad devices at 63 of its stores.
The prominent U.S. bookseller, which operates 700 bookstores nationwide, issued a press release stating its internal investigation pinpointed the breach at stores spread throughout California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island.
The bookstore chain has provided a list of those sites in which PIN pads showed signs of tampering.
Barnes & Noble stated its investigation revealed that only one PIN pad in each of these stores had been tampered with, but the chain disconnected use of the devices in all of its stores by the close of business on Sept. 14.
The bookstore chain did not indicate how long the PIN pads may have been compromised prior to the Sept. 14 shutdown.
The company's statement did not speculate on the number of potentially affected cardholders, but said it is working with issuers and payment card brands to identify accounts that may have been compromised to allow issuers to employ extra fraud security measures on potentially impacted accounts.
The company says criminals planted bugs in the tampered PIN pad devices, allowing for the capture of card account numbers and PIN codes.
Customers can securely shop with credit cards through the company's cash registers, Barnes & Noble stated. The company also emphasized that criminals had not breached the Barnes & Noble customer database. Recent purchases made on the Barnes & Noble website, through a Nook e-reader or Nook mobile application were not affected, the company said.
Reuters reported Oct. 24 that a spokesman for the FBI confirmed the agency's New York field division was investigating the breach. The FBI spokesman also raised some questions about the U.S. attorney's office for the Southern District of New York sending letters to the bookstore chain stating the company did not have to report the attacks to its customers during the investigation. One of those letters reportedly informed the store that it did not have to reveal the breach and ensuing investigation until Dec. 24, or well after the holiday shopping season had come to a close.
Instead, Barnes & Noble posted its customer notice on the company website on Oct. 24.
The company is advising customers who may have swiped cards at stores in the affected states to change their debit-card PIN as a precaution and to review their statements for unauthorized transactions.
The company statement did not indicate what brand of PIN pad was compromised, nor did it include more details as to what other information its internal investigation was able to provide law enforcement officials.
A Barnes & Noble spokesperson did not respond to inquiries prior to deadline.
It is also likely that Barnes & Noble did not delay in notifying its customers, based on the problems Michaels Stores Inc. encountered regarding the timing of its May, 2011 breach and its notification to customers.
The nationwide craft supplies chain suffered a data breach through PIN pads, resulting in a flood of withdrawals from ATMs in California using data from breached debit cards.
Consumers who filed suit against Michaels because their cards were compromised indicated that the company had waited three months after the skimming began to alert customers to the problem. Michaels eventually announced that at least 90 payment terminals in stores in 20 states were affected by the PIN pad tampering.
In the Michaels breach incident, criminals took advantage of older PIN pads that are easier to tamper with than newer models, says Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group.
"If that's the case [older equipment] with Barnes & Noble, it may have just been a matter of the criminal swapping out the PIN pad hardware to place a card-skimming device inside," McNelley says.
At first glance, McNelley says the Barnes & Noble breach reminds her of the Lucky Supermarkets breach in northern California late last year. In that incident, fraudsters compromised the PIN pads at self-checkout lanes. Such breaches can sometimes take place with the help of an insider — or someone impersonating one, McNelley says.
"At the Lucky stores, criminals pretending to be technicians came in and swapped out the PIN hardware," McNelley says. "The bad guys do their homework and when they find a weakness in security, they will maximize that opportunity."