Barnes & Noble halts use of PIN pad devices after data breach
Payment terminals at 63 stores in eight states compromised; unknown number of customers affected
Computerworld - Barnes & Noble has removed PIN pad devices from all of its nearly 700 stores nationwide as a precaution after detecting evidence of tampering with the devices at 63 of its stores in eight states.
It a statement Wednesday, the company urged customers who had used their debit cards at the affected stores to change their PIN numbers and to notify their banks immediately of any suspicious transactions. Customers who used credit cards to pay for purchases at the affected stores should review their statements and tell their banks if they find unauthorized transactions, the company said.
A total of 63 stores in California, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island were affected by the September breach.
Barnes & Noble said the compromise was limited to one tampered PIN pad device at each of the 63 stores. The company did not say how many customers may have been affected by the compromise or why it waited for more than a month to disclose the breach.
Many of the states where the tampering occurred have data breach laws that call for the speedy disclosure of breaches involving loss of credit or debit card data or other sensitive information. However, some of the states also allow exemptions in situations where law enforcement authorities might advise a company not to disclose a breach until early investigations are completed.
"The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers," Barnes & Noble said in its statement. Federal and local law enforcement agencies are investigating the breach, the company noted.
A Barnes & Noble spokeswoman said the compromise was detected last month and all the PIN pads were taken offline on Sept. 14. The company does not know when the devices were tampered with or how long the compromised devices may have been in place before being detected and removed, she added. The spokeswoman did not offer any details on when Barnes & Noble planned to bring its PIN pad devices back online.
Customers can continue to use debit and credit cards to pay for purchases via the company's cash registers, the company said.
The breach does not affect Barnes & Noble's customer database, nor does it affect purchases made via its online store. Nook e-reader and Nook mobile applications were also unaffected by the intrusion, the company said.
"The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," the company said.
Payment card theft involving compromised PIN pad devices is not new. In 2010, discount grocer Aldi Inc. disclosed a data breach in which criminals stole debit card data from an undisclosed number of people after tampering with PIN pad terminals at stores across 11 states.
Last year, Michaels Stores, a chain that sells arts and crafts supplies, reported that nearly 100 payment card terminals at stores in 20 states had been tampered with by criminals looking to steal debit and credit card data.
Contrary to what one might expect, tampering with payment card terminals at retail stores is not very difficult, said Avivah Litan, an analyst at Gartner.
In most cases, crooks begin by targeting specific payment devices, not necessarily the store itself. "What they do is study the equipment," she said. "They take it apart, look at it and then build [a card skimmer] that can be slipped into it very quickly."
Often small and unobtrusive, card skimmers are designed to capture and wirelessly transmit card data to offsite servers. The crooks then attack stores using those devices, she said.
"I know of at least one case where they did this at a bank," said Litan. "With all that security, they just went in and slipped a skimmer into a bank ATM."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.
- Snowden advocates at SXSW for improved data security
- Joomla receives patches for zero-day SQL injection vulnerability, other flaws
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts