Hackers Obtain Some B&N Customers' Data
In September, hackers stole pin codes and other debit and credit card information about customers at 63 Barnes & Noble stores (about 10% of its total), according to reports in the New York Times, Wall Street Journal and other media that were confirmed by B&N.
The company hadn't notified affected customers of the problem, which occurred through pin pad devices (where customers punch in their pin codes), because, it said, the FBI asked it to keep the matter secret to help its investigation. It also said the Justice Department indicated it could wait until as late as December 24 to notify customers of the breach. A legal expert quoted by the Times said that under most state laws, B&N wouldn't have to notify customers of problems if all data was encrypted, which was the case. At the same time, security experts said encryption is proving less and less of a defense against hackers.
An unidentified B&N executive told the Times that some unauthorized transactions were made in September but "had declined in recent weeks." He added that "the company had informed credit card companies that certain accounts might have been compromised."
There was no information about how many B&N customers were affected and how they would know if their information had been hacked. The Wall Street Journal said B&N recommended "customers who may have swiped their cards at affected stores should change their PIN numbers on their debit cards and review their accounts, while credit card users should also review their statements." The affected stores were in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. The company said online purchases, Nook purchases and B&N College operations were not affected.
Apparently only one pin pad device in each store was hacked. The Times quoted security experts as saying that "a company insider could have inserted malicious code, or criminals could have persuaded an unsuspecting employee to click on a malicious link that installed malware, giving the perpetrators a foothold into Barnes & Noble's point-of-sale systems." One security expert called it "no small undertaking."
The company has removed all 7,000 pin pad devices in its 689 stores.