Barnes & Noble says thieves tampered with PIN pads

NEW YORK Wed Oct 24, 2012 5:39pm EDT

A Barnes and Noble book store is shown here in Encinitas May 20, 2008. REUTERS/Mike Blake

A Barnes and Noble book store is shown here in Encinitas May 20, 2008.

Credit: Reuters/Mike Blake

NEW YORK (Reuters) - Barnes & Noble Inc said on Wednesday that customers who shopped at 63 of its stores as recently as last month may have had their credit or debit card information stolen in what the U.S. bookstore chain called a "sophisticated criminal effort."

The retailer, which operates a total of almost 700 bookstores, said that federal law enforcement authorities have been informed of the breach and that it is supporting their investigation.

Barnes & Noble said it had detected tampering with one personal identification number (PIN) pad device at each of the 63 affected stores and by September 14 had disconnected all the pads at every one of its stores. The tampering affected less than 1 percent of its PIN pads.

Bugs were planted in the PIN pads that allowed credit card and PIN numbers to be pulled, Barnes & Noble said.

The company said it did not know how many customers were affected. The stores are in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island, Barnes & Noble said.

A list of stores can be found here

Barnes & Noble advised customers who have swiped their cards at any of the affected stores to change their debit-card PIN numbers as a precaution, and to check their statements for unauthorized transactions.

Still, the company said its customer database was secure, and that purchases made on the Barnes & Noble website, Nook e-reader and Nook mobile apps were not affected. It also said none of the pads at its college campus stores were affected.

A spokesman for the FBI said on Wednesday that the agency's New York field division had been investigating the breach at Barnes & Noble since September.

Barnes & Noble was not required immediately to inform customers of the breach because it received so-called "safe harbor" letters from federal prosecutors, the FBI spokesman said. Safe harbor letters are used infrequently to allow law enforcement agencies to continue investigations secretly.

A spokeswoman for the U.S. Attorney's office in Manhattan declined comment on the letters.

Barnes & Noble shares were down 0.72 percent at $15.21 Wednesday on the New York Stock Exchange.

(Additional Reporting by Sakthi Prasad in Bangalore; Editing by Bernadette Baum, Alden Bentley and Kenneth Barry)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see
Comments (3)
gregbrew56 wrote:
Believe it or not, you can still pay in person with CASH!

Oct 24, 2012 10:42am EDT  --  Report as abuse
Hank_M wrote:
63 stores indicates some sort of systemic problem with Barnes and Nobles’ physical security, and a systemic failure of their fraud detection statistics.

Oct 24, 2012 11:25am EDT  --  Report as abuse
Dilbert314159 wrote:
@Hank_M: You are making a pretty big assumption that this indicates a physical security problem for B&N. There is no indication as of yet how (or even where) the devices were tampered with. They could have been tampered with prior to their arrival in the stores (at the factory or a service provider that installs them for example). It could have been an unscrupulous employee (from the B&N IT department or a vendor that services their equipment) that legitimately visited and serviced the pads. The bug could have been planned by a “customer” swiping a card through the device that exploded some type of zero day bug in the pads. It could have been planted via network connections. There are any number of explanations. That is why they do an investigation :)

Oct 24, 2012 2:44pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.