Exploiters Tamper with Pin Pad Devices at Dozens of Barnes Noble Stores

Barnes & Noble announced earlier this week the company experienced a data breach where exploiters intercepted credit and debit card data. Hackers had compromised dozens of PIN pad devices used in several dozen of the chain’s 700 stores. The affected devices spanned nationwide, with stores in nine states finding their devices had been compromised.

According to a Barnes & Noble press release issued on Oct. 24, the company discovered the tampering on Sept. 14 and immediately discontinued all the PIN pad devices used in every store, although only a small percentage of PIN pad devices were said to have been exploited.

“The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases,” Barnes & Noble said. “This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”

Barnes & Noble also stressed that it was only 63 stores that were impacted, and any purchases made on the company’s commercial website, Barnes & Noble College Bookstores, NOOK and NOOK mobile apps were not affected by this data breach.

The announcement did not say how long the breach had been occurring or how many customers may have been impacted during the time frame the exploit had been occurring.

Reportedly, the notice to the public was delayed pending federal investigation. The book giant said the government told the company the breach announcement to customers could be held off until Dec. 24, the New York Times reported.  

“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied,” a company official, who preferred to remain anonymous, told the New York Times.

Stores in nine states were impacted: California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. The company listed all of the specific stores that were affected stores in its press release.

Barnes & Noble is advising customer to change PIN numbers on debit cards and monitor bank accounts for any unrecognized transactions. Credit card customer should carefully review their statements to see if any unauthorized purchases are made. If evidence of theft shows, customers are being told they should notify their banks immediately.

Customers with any concerns or questions about this data breach can contact the company at www.barnesandnobleinc.com or by calling 1-888-471-7809 during the hours of 8 a.m. and 8 p.m. EST.