Criminals tampered with PIN pads at 63 Barnes & Noble stores across the United States, stealing the credit- and debit-card information of countless customers, the bookstore chain said in a statement yesterday (Oct. 23).
The data breach was discovered in mid-September, but kept the matter quiet at the request of the Department of Justice, according to an unnamed company official who spoke to the New York Times. The Times, which apparently learned of the breach independently, broke the story last night on its website.
"We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied," the Barnes & Noble official told the Times.
"Barnes & Noble disconnected all PIN pads from its stores nationwide by close of business September 14, and customers can securely shop with credit cards through the company's cash registers," read a statement posted on the Barnes & Noble corporate website today.
The company said that card transactions on the Barnes & Noble website and those involving its Nook e-reader were not affected.
[ How to Protect Your Debit Card From Skimming Scams ]
PIN pads are small devices located at checkout counters at thousands of retail outlets in North America. They allow the customer to swipe a card and, in the case of a debit transaction, type in a personal identification number, or PIN. They sometimes also let a credit-card customer "sign" a touchscreen with a plastic pen.
Barnes & Noble said only one PIN pad was compromised in each of 63 affected retail outlets in nine U.S. states, which included California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. A complete list of the affected stores is on the company website.
"The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers," the company statement said. "We discovered this tampering during maintenance and inspection of the devices, and we promptly discontinued the use of all PIN pads in our nearly 700 retail stores nationwide."
The company did not provide further details of how the PIN pads were tampered with, but such a scheme would normally require physical access to the devices in order to install additional hardware, or even swap out a clean PIN pad with a tampered one.
Tampered PIN pads record card data, customer names and PINs for the benefit of criminal gangs, which can then resell the information wholesale in underground online markets. Sometimes the information is transmitted to remote computers controlled by criminals; in other instances, the criminals must return to the compromised PIN pads to retrieve the information.
A company official told the New York Times that some compromised card had been used to make unauthorized purchases.
Last year, the Michaels art-supply chain revealed that nearly 90 PIN pads had been tampered with at dozens of retail outlets in 20 states. Michaels has not disclosed whether the persons behind the tampering have been apprehended.
Barnes & Noble urged customers to change the PIN numbers on debit cards, to review their account statements and to notify their card issuers if anything seems amiss. It reminded customers that all U.S. residents are entitled to three free credit reports per year.
Credit-card holders aren't responsible for unauthorized transactions as long as they notify the card issuer within 60 days of learning of transactions. Debit-card holders have less protection; they must notify their banks within 48 hours.