Security Experts:

More Than 60 Barnes & Noble Stores Suffer Credit Card Breach From Compromised Keypads

Barnes & Noble, the nation’s largest book chain, has suffered a data breach resulting in the loss of customer credit card data. Notification of the breach was withheld for more than a month at the request of the FBI.

Barnes & Noble insiders, who orginally spoke to the New York Times, said that the breach was the result of a compromise to the terminals where customers would swipe cards. The company initially learned of the data theft in September, but withheld notification to customers and the public for a month at the behest of law enforcement.

PIN Skimming

“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied,” a Barnes & Noble official told the Times in a statement. 

The book chain is still investigating the incident, and has so far not released much in the way of information. What is known is that keypads used at the registers were compromised; leading to speculation that it was an insider job or a highly sophisticated attack.

The stolen information was used to make unauthorized purchases, the company said, but those actions tapered off towards the end of September. The company has said that customers should change their PINs if they shopped at one of the 63 stores impacted by the incident, and watch for unauthorized activity on those accounts.

Stores in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island were compromised. A full list with addresses can be seen below. 

The company said it does not currently have PIN pads in any of its nearly 700 stores in the United States.

It is important to note that purchases from college bookstores, BN.com, Nook and Nook Mobile were not impacted by the compromise. 

RelatedSkimming PIN Pads - Should PCI Standards Push Upgrades to Newer Technology?

In a statement on Wednesdaythe company said the tampering affected fewer than 1% of PIN pads in Barnes & Noble stores.

"[The attack] was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," the company said in the statement. "This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads."  

This is not the first time a large retailer has been hit by such an attack. In May 2011, craft chain Michaels Stores reported that 90 PIN pads across some of its 995 stores nationwide had been compromised. Those attacks resulted in victims reporting fraudulent withdrawals of up to $500 made from ATMs from credit and debit card accounts. Following the incident, Michaels removed approximately 7,200 comparable PIN pads from all its US stores.

As SecurityWeek columnist Robert Vamosi notes, some newer Point of Sale systems in the US have built-in authentication systems designed to protect merchants against fraudulent PIN pads.

“This, of course, requires the merchant to purchase a new terminal, and often upgrade or replace their current POS software as well,” Vamosi wrote. “Some mid-sized businesses might see the benefits and go ahead. Small businesses may not be able to absorb the costs. And, large businesses may chose to roll out such systems over a period of fiscal quarters or years.”

The Payment Card Industry (PCI) Security Standards Council has also issued guidance (PDF) around skimming attacks like this. 

The full list of Barnes & Nobles stores that were breached is included here:

                                   
Store Address         City         State             Zip
4735 Commons Way         Calabasas         CA             91302
2470 Tuscany Street Suite 101         Corona         CA             92881
2015 Birch Road Suite 700         Chula Vista         CA             91915
313 Corte Madera Town Center         Corte Madera         CA             94925
5604 Bay Street         Emeryville         CA             94608
810 West Valley Parkway         Escondido         CA             92025
1315 E. Gladstone Street         Glendora         CA             91740
5183 Montclair Plaza Lane         Montclair         CA             91763
894 Marsh St Bldg G         San Luis Obispo         CA             93401
2615 Vista Way         Oceanside         CA             92054
72-840 Highway 111 Suite 425         Palm Desert         CA             92260
27460 West Lugonia Ave         Redlands         CA             92374
1150 El Camino Real Space 277         San Bruno         CA             94066
10775 Westview Parkway         San Diego         CA             92126
3600 Stevens Creek Blvd         San Jose         CA             95117
11 West Hillsdale Blvd.         San Mateo         CA             94403
9938 Mission Gorge Road         Santee         CA             92071
40570 Winchester Rd         Temecula         CA             92591
4820 Telephone Road         Ventura         CA             93003
1149 S. Main St.         Walnut Creek         CA             94596
470 Universal Drive North         North Haven         CT             06473
100 Greyrock Place Suite H009         Stamford         CT             06901
60 Isham Road         W. Hartford         CT             06107
18711 NE Biscayne Blvd         Aventura         FL             33180
333 N. Congress Avenue         Boynton Beach         FL             33436
152 Miracle Mile         Coral Gables         FL             33134
1900 W International Spdway         Daytona Beach         FL             32114
2051 N. Federal Highway         Fort Lauderdale         FL             33305
12405 N Kendall Drive         Miami         FL             33186
11380 Legacy Ave         Palm Beach Gardens         FL             33410
14572 SW 5th St Suite 10140         Pembroke Pines         FL             33027
11820 Pines Blvd         Pembroke Pines         FL             33026
5701 Sunset Drive Suite 196         S. Miami         FL             33143
700 Rosemary Ave Unit #104         West Palm Beach         FL             33401
1441 West Webster Avenue         Chicago         IL             60614
1130 North State Street         Chicago         IL             60610
5380 Route 14         Crystal Lake         IL             60014
20600 North Rand Road         Deer Park         IL             60010
728 North Waukegan Road         Deerfield         IL             60015
1630 Sherman Avenue         Evanston         IL             60201
1468 Springhill Mall Blvd         W. Dundee         IL             60118
170 Boylston Street         Chestnut Hill         MA             02467
96 Derby Street Suite 300         Hingham         MA             02043
82 Providence Highway         East Walpole         MA             2032
395 Route 3 East         Clifton         NJ             07014
55 Parsonage Road         Edison         NJ             08837
2134 State Highway 35         Holmdel         NJ             07733
4831 US Hwy 9         Howell         NJ             07731
23-80 Bell Blvd.         Bayside         NY             11360
176-60 Union Turnpike         Fresh Meadows         NY             11366
1542 Northern Blvd         Manhasset         NY             11030
160 E 54th Street (Citicorp)         New York         NY             10022
2289 Broadway         New York         NY             10024
33 East 17th Street (Union Square)         New York         NY             10003
555 Fifth Ave         New York         NY             10017
2245 Richmond Avenue         Staten Island         NY             10314
230 Main St         White Plains         NY             10601
97 Warren Street         New York         NY             10007
100 West Bridge Street         Homestead         PA             15120
800 Settlers Ridge Center Drive         Pittsburgh         PA             15205
1311 West Main Road         Middleton         RI             02842
371 Putnam Pike Suite 330         Smithfield         RI             02917
1350-B Bald Hill Rd         Warwick         RI             02886
 
Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.