Barnes and Noble is the latest major retailer to experience a customer credit card data breach. As hackers get more sophisticated, point-of-sale attacks are increasing.
The breach was not discovered until September 14, 2012 and was heavily concentrated on the east coast; but stores in Florida, Illinois and California have also been affected.
Approximately 63 Barnes and Nobles stores, with card-reading PIN pads at the front registers where customers swipe their credit cards and enter their personal identification numbers or PINs, were compromised.
Hackers who gained access to the terminals, stole credit card information for customers who shopped as recently as September. Although the breach was discovered on September 14, 2012, the matter was kept quiet at the request of the Justice Department in order for the F.B.I. to determine who was behind the attacks.
Consumers who shopped at Barnes & Noble over the last several months may want to keep tabs on their financial records and check for unauthorized transactions. It has been reported some of the credit card numbers have already been used by identity thieves.
Barnes and Noble defended its decision not to inform customers about the data breach, stating the company informed credit card companies that certain accounts might have been compromised.
An official for the company said “We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied.”
Barnes and Noble did shut down 7000 PIN pads in several hundred stores across the country as it was discovered that many of them had been tampered with. The keypads were shipped to a location where they can be examined.
It was determined that only one keypad in each of the 63 stores had been hacked. “The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers,” the company said.
“Barnes and Noble disconnected all PIN pads from its stores nationwide by close of business September 14, and customers can securely shop with credit cards through the company’s cash registers. Barnes and Noble said it is committed to providing customers with a safe shopping environment.”
Barnes and Noble has yet to reinstall the devices. “Right now, we have no PIN pads in any stores and we are O.K. with that,” a company official said.
Customers can still use their debit or credit card at the register but the cashier will swipe their cards on a reader directly connected to the registers.
The company is being tight lipped on how their network was penetrated. Security experts speculate a company insider could have inserted malicious code, or criminals could have persuaded an unsuspecting employee to click on a malicious link that installed malware, giving the perpetrators access to Barnes & Noble’s point-of-sale terminals.