October 24, 2012, 9:43 PM — Barnes & Noble has removed PIN pad devices from all of its nearly 700 stores nationwide as a precaution after detecting evidence of tampering with the devices at 63 of its stores in eight states.
In a statement Wednesday, the company urged customers who had used their debit cards at the affected stores to change their PIN numbers and to notify their banks immediately of any suspicious transactions. Customers who used credit cards to pay for purchases at the affected stores should review their statements for unauthorized transactions and inform their bank about them, the company said.
A total of 63 stores in California, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island were affected by the September breach.
Barnes & Noble said the compromise was limited to one tampered PIN pad device at each of the 63 stores. The company did not say how many customers may have been affected by the compromise or why it waited for more than a month to disclose the breach.
Many of the states where the tampering occurred have data breach laws that call for the speedy disclosure of breaches involving loss of credit card, debit card and other sensitive data. However, some of the states also allow exemptions in situations where law enforcement authorities might advise a company not to disclose a breach until early investigations are completed.
"The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers," Barnes & Noble said in its statement. Federal and local law enforcement are investigating the breach, the company noted.
A Barnes & Noble spokeswoman said the compromise was detected last month and all the PIN pads were taken offline on Sept. 14. The company does not know when the devices were tampered with or how long the compromised devices may have been in place before being detected and removed, she added. The spokeswoman did not offer any details on when Barnes & Noble planned to bring its PIN pad devices back online.
Customers can continue to use their debit and credit cards to pay for purchases via the company's cash registers, the company said.
The breach does not affect Barnes & Noble's customer database nor does it affect purchases made via its online store. Nook e-reader and Nook mobile applications were also unaffected by the intrusion, the company said.
"The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," the company said.