Customer payment information was stolen from 63 Barnes & Noble stores nationwide when thieves hacked into the keypads customers use to enter their PIN numbers during a purchase. The company discovered the compromise Sept. 14, but did not disclose the theft because the Justice Department requested the matter be kept quite while the FBI investigated the attacks.
A Barnes & Noble spokesman said Oct. 23 the data thefts occurred when a hacker placed a “bug” into one PIN pad device at each of the affected stores. The latest thefts occurred last month, but as soon as the security breach was discovered, the company disconnected all key pads in its almost-700 stores. The devices have been shipped to a location that can examine them and further investigate the security breach. It’s not yet known how many customers were impacted.
A Barnes & Noble official told the New York Times some credit card customers’ accounts had been compromised with fraudulent activity, but most of the fraud occurred in September and has been declining in recent weeks. The official also defended the company’s choice not to inform customers about the attack, explaining it had informed credit card companies that certain accounts could be compromised.
“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied,” the official, who asked not to be identified because the investigation was continuing, told the Times.
The U.S. attorney’s office for the Southern District of New York sent Barnes & Noble two letters advising the company was not required to report the attacks to its customers during the investigations. One of those letters, according to the official, stated the company could wait until Dec. 24 to inform customers of the data compromise.
Currently, Barnes & Noble has not reinstalled any key pads in any of its stores. Customers paying by credit or debit card must present the card to a cashier to swipe in a device attached to the cash register.
“Right now, we have no PIN pads in any stores and we are OK with that,” the company official told the Times.
Although most states require companies to notify customers when their information—such as account numbers, Social Security numbers or driver’s license numbers—are compromised, information that is encrypted is generally the exception. If a company encrypts its customer information, laws do not require it to inform customers of a security breach. And according to computer security experts, a multilayered assault is necessary for hackers to obtain such encrypted information.
“This is no small undertaking,” Edward Schwartz, the chief security officer at security company RSA, told the Times. “An attack of this type involves many different phases of reconnaissance and multiple levels of exploitation.”
According to a survey by ACI Worldwide, a company which supplies card payment systems, and Aite Group, a research firm, 42 percent of American consumers have been victims of credit card fraud in the last five years, compared to 32 percent in 2010.
“The results of this survey show that card fraud continues to be one of the greatest threats and concerns for consumers, financial institutions and retailers,” said Mike Braatz, senior vice president of payments and fraud at ACI Worldwide. “While there have been significant advances in fraud prevention technology, it is clear that more needs to be done to educate consumers about fraud and engage them as allies when it occurs. These results should serve as a call-to-action for financial institutions and retailers to remain constantly vigilant and earn the trust of customers by working with them to combat fraud.”