According to a press release
dated Oct. 24, the PIN pad tampering affected 63 stores, which the company describes as a small percentage of all its devices.
"The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," Barnes & Noble said. "This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads."
The exploit involved hackers placing bugs in PIN pad devices and then filching the information that was swiped through by credit and debit cards.
The book giant said it has discontinued use of PIN pads in all of its stores across the U.S. after it discovered the breach
on Sept. 14. Purportedly, the company was told it could wait until Dec. 24 to inform customers.
“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied,” said a company official, who preferred not to be identified because the investigation was ongoing, reported the New York Times
Barnes & Noble noted that its member database, commercial website, Nook e-reader, Nook mobile apps and its Barnes & Noble College bookstores were not impacted by this exploit.
A federal investigation into this incident is underway and ongoing. The company has published a complete list
of the stores that were affected; these were located in Calif., Conn., Fla., Ill., Mass., N.J., N.Y. Pa. and R.I.
At this time, it is unclear how many customers may have been affected, reported Reuters
. New York Post
reported it is also unknown for how long the hackers manipulated the devices before the problem was discovered.
Customers that may have used their debit cards at the affected stores should change their PIN numbers and carefully monitor accounts; credit card customers should closely monitor their accounts for any suspicious activity.
Last year the Michael's chain experienced a data breach
when dozens of its POS terminals located in stores nationwide were tampered with.