What it means to you Tracking inflation Best CD rates this month Shop and save 🤑
BUSINESS
Personal finance

Barnes & Noble warns customers of data theft

Byron Acohido, USA TODAY
  • 63 stores in 9 states affected; see link to list
  • PIN pads in all 700 stores have been disconnected
  • Customers advised to change PINs in wake of likely, well-planned insider tampering job

Federal authorities are investigating a sophisticated scam that gave thieves access to customer payment card data at 63 Barnes & Noble bookstores, the company announced Wednesday.

A Barnes & Noble bookstore. The company says 63 stores were affected by tampering with PIN pads.

Customers of those stores may have had their credit or debit card information stolen as recently as last month.

"This latest breach appears to be a physical manipulation of the card readers in order to gain both debit card details and their accompanying PINs," says Gunter Ollmann, vice president of research at security firm Damballa.

The retail chain, which operates nearly 700 bookstores, said that federal law enforcement authorities have been informed of the breach and that it is supporting their investigation.

The company has discontinued use of PIN (personal identification number) pads in all of its stores, according to a Barnes & Noble news release. Debit card users who think their cards may have been compromised should change their PINs, the company says.

Barnes & Noble said bugs were implanted in PIN pads that enabled thieves to extract credit card and PINs. It detected tampering with one PIN pad device at each of the affected stores, located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island, the company said.

Ollmann says that it is unlikely that a series of card readers were compromised as they were being manufactured or distributed to the stores. "Only one reader per store was affected — which doesn't smell of a supply chain problem."

The perpetrators most likely had repeated access to either the card readers themselves or the supporting computer systems, or both, Ollmann says.

"Based upon what has been disclosed thus far by Barnes & Noble, this is an insider threat perpetrated by criminals who had physical access to the card readers," Ollmann says.

Featured Weekly Ad