Barnes & Noble, the nation’s largest book chain, has suffered a data breach resulting in the loss of customer credit card data. Notification of the breach was withheld for more than a month at the request of the FBI.
Barnes & Noble insiders, who orginally spoke to the New York Times, said that the breach was the result of a compromise to the terminals where customers would swipe cards. The company initially learned of the data theft in September, but withheld notification to customers and the public for a month at the behest of law enforcement.
“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied,” a Barnes & Noble official told the Times in a statement.
The book chain is still investigating the incident, and has so far not released much in the way of information. What is known is that keypads used at the registers were compromised; leading to speculation that it was an insider job or a highly sophisticated attack.
The stolen information was used to make unauthorized purchases, the company said, but those actions tapered off towards the end of September. The company has said that customers should change their PINs if they shopped at one of the 63 stores impacted by the incident, and watch for unauthorized activity on those accounts.
Stores in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island were compromised. A full list with addresses can be seen below.
The company said it does not currently have PIN pads in any of its nearly 700 stores in the United States.
It is important to note that purchases from college bookstores, BN.com, Nook and Nook Mobile were not impacted by the compromise.
In a statement on Wednesday, the company said the tampering affected fewer than 1% of PIN pads in Barnes & Noble stores.
"[The attack] was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," the company said in the statement. "This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads."
This is not the first time a large retailer has been hit by such an attack. In May 2011, craft chain Michaels Stores reported that 90 PIN pads across some of its 995 stores nationwide had been compromised. Those attacks resulted in victims reporting fraudulent withdrawals of up to $500 made from ATMs from credit and debit card accounts. Following the incident, Michaels removed approximately 7,200 comparable PIN pads from all its US stores.
As SecurityWeek columnist Robert Vamosi notes, some newer Point of Sale systems in the US have built-in authentication systems designed to protect merchants against fraudulent PIN pads.
“This, of course, requires the merchant to purchase a new terminal, and often upgrade or replace their current POS software as well,” Vamosi wrote. “Some mid-sized businesses might see the benefits and go ahead. Small businesses may not be able to absorb the costs. And, large businesses may chose to roll out such systems over a period of fiscal quarters or years.”
The Payment Card Industry (PCI) Security Standards Council has also issued guidance (PDF) around skimming attacks like this.
The full list of Barnes & Nobles stores that were breached is included here:
|4735 Commons Way||Calabasas||CA||91302|
|2470 Tuscany Street Suite 101||Corona||CA||92881|
|2015 Birch Road Suite 700||Chula Vista||CA||91915|
|313 Corte Madera Town Center||Corte Madera||CA||94925|
|5604 Bay Street||Emeryville||CA||94608|
|810 West Valley Parkway||Escondido||CA||92025|
|1315 E. Gladstone Street||Glendora||CA||91740|
|5183 Montclair Plaza Lane||Montclair||CA||91763|
|894 Marsh St Bldg G||San Luis Obispo||CA||93401|
|2615 Vista Way||Oceanside||CA||92054|
|72-840 Highway 111 Suite 425||Palm Desert||CA||92260|
|27460 West Lugonia Ave||Redlands||CA||92374|
|1150 El Camino Real Space 277||San Bruno||CA||94066|
|10775 Westview Parkway||San Diego||CA||92126|
|3600 Stevens Creek Blvd||San Jose||CA||95117|
|11 West Hillsdale Blvd.||San Mateo||CA||94403|
|9938 Mission Gorge Road||Santee||CA||92071|
|40570 Winchester Rd||Temecula||CA||92591|
|4820 Telephone Road||Ventura||CA||93003|
|1149 S. Main St.||Walnut Creek||CA||94596|
|470 Universal Drive North||North Haven||CT||06473|
|100 Greyrock Place Suite H009||Stamford||CT||06901|
|60 Isham Road||W. Hartford||CT||06107|
|18711 NE Biscayne Blvd||Aventura||FL||33180|
|333 N. Congress Avenue||Boynton Beach||FL||33436|
|152 Miracle Mile||Coral Gables||FL||33134|
|1900 W International Spdway||Daytona Beach||FL||32114|
|2051 N. Federal Highway||Fort Lauderdale||FL||33305|
|12405 N Kendall Drive||Miami||FL||33186|
|11380 Legacy Ave||Palm Beach Gardens||FL||33410|
|14572 SW 5th St Suite 10140||Pembroke Pines||FL||33027|
|11820 Pines Blvd||Pembroke Pines||FL||33026|
|5701 Sunset Drive Suite 196||S. Miami||FL||33143|
|700 Rosemary Ave Unit #104||West Palm Beach||FL||33401|
|1441 West Webster Avenue||Chicago||IL||60614|
|1130 North State Street||Chicago||IL||60610|
|5380 Route 14||Crystal Lake||IL||60014|
|20600 North Rand Road||Deer Park||IL||60010|
|728 North Waukegan Road||Deerfield||IL||60015|
|1630 Sherman Avenue||Evanston||IL||60201|
|1468 Springhill Mall Blvd||W. Dundee||IL||60118|
|170 Boylston Street||Chestnut Hill||MA||02467|
|96 Derby Street Suite 300||Hingham||MA||02043|
|82 Providence Highway||East Walpole||MA||2032|
|395 Route 3 East||Clifton||NJ||07014|
|55 Parsonage Road||Edison||NJ||08837|
|2134 State Highway 35||Holmdel||NJ||07733|
|4831 US Hwy 9||Howell||NJ||07731|
|23-80 Bell Blvd.||Bayside||NY||11360|
|176-60 Union Turnpike||Fresh Meadows||NY||11366|
|1542 Northern Blvd||Manhasset||NY||11030|
|160 E 54th Street (Citicorp)||New York||NY||10022|
|2289 Broadway||New York||NY||10024|
|33 East 17th Street (Union Square)||New York||NY||10003|
|555 Fifth Ave||New York||NY||10017|
|2245 Richmond Avenue||Staten Island||NY||10314|
|230 Main St||White Plains||NY||10601|
|97 Warren Street||New York||NY||10007|
|100 West Bridge Street||Homestead||PA||15120|
|800 Settlers Ridge Center Drive||Pittsburgh||PA||15205|
|1311 West Main Road||Middleton||RI||02842|
|371 Putnam Pike Suite 330||Smithfield||RI||02917|
|1350-B Bald Hill Rd||Warwick||RI||02886|