Barnes & Noble halts use of PIN pad devices after data breach

Payment terminals at 63 stores in eight states compromised; unknown number affected

Barnes & Noble has removed PIN pad devices from all of its nearly 700 stores nationwide as a precaution after detecting evidence of tampering with the devices at 63 of its stores in eight states.

It a statement Wednesday, the company urged customers who had used their debit cards at the affected stores to change their PIN numbers and to notify their banks immediately of any suspicious transactions. Customers who used credit cards to pay for purchases at the affected stores should review their statements for unauthorized transactions and inform their bank about them, the company said.

A total of 63 stores in California, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island were affected by the September breach.

Barnes & Noble said the compromise was limited to one tampered PIN pad device at each of the 63 stores. The company did not say how many customers may have been affected by the compromise or why it waited for more than a month to disclose the breach.

Many of the states where the tampering occurred have data breach laws that call for the speedy disclosure of breaches involving loss of credit card, debit card and other sensitive data. However, some of the states also allow exemptions in situations where law enforcement authorities might advise a company not to disclose a breach until early investigations are completed.

"The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers," Barnes & Noble said in its statement. Federal and local law enforcement are investigating the breach, the company noted.

A Barnes & Noble spokeswoman said the compromise was detected last month and all the PIN pads were taken offline on Sept. 14. The company does not know when the devices were tampered with or how long the compromised devices may have been in place before being detected and removed, she added. The spokeswoman did not offer any details on when Barnes & Noble planned to bring its PIN pad devices back online.

Customers can continue to use their debit and credit cards to pay for purchases via the company's cash registers, the company said.

The breach does not affect Barnes & Noble's customer database nor does it affect purchases made via its online store. Nook e-reader and Nook mobile applications were also unaffected by the intrusion, the company said.

"The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," the company said.

Payment card theft involving compromised PIN pad devices is not new. In 2010, discount grocer Aldi Inc. disclosed a data breach in which criminals stole debit card data from an undisclosed number of people after tampering with PIN pad terminals at stores across 11 states.

Last year, crafts store chain Michaels Stores disclosed that close to 100 payment card terminals at stores across 20 states were tampered with by criminals looking to steal debit and credit card data.

Contrary to what one might expect, tampering with payment card terminals at retail stores is not very hard, said Avivah Litan, an analyst with Gartner Inc.

In most cases, crooks begin by targeting specific payment devices, not necessarily the store itself, she said. "What they do is study the equipment. They take it apart, look at it and then build [a card skimmer] that can be slipped into it very quickly."

The skimmers are often small and unobtrusive and are designed to capture and wirelessly transmit stolen card data to offsite servers. The crooks then attack stores using those devices, she said.

"I know of at least one case where they did this at a bank. With all that security they just went in and slipped a skimmer into a bank ATM."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingBarnes & Nobleretailsecurityindustry verticals

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place