PIN pad tampering was 'sophisticated' crime

October 24, 2012

The Associated Press and Caroline O'Donovan

Barnes & Noble Inc. said Wednesday that the tampering of devices used by customers to swipe credit and debit cards in 63 of its stores was a "sophisticated criminal effort" to steal information, and reiterated it's working with federal law enforcement authorities.

Some of that stolen information came from shoppers at Chicago’s State Street location. Customers approached by WBEZ were surprised to hear about the hacking; due to a pending FBI investigation, the chain withheld the news of the security breach until late Tuesday.

“They should probably release these things more quickly,” said Dan Walker. “I’d like to know, you know. If I know it’s going on in the area, I’ll be more likely to use cash.”

He added, “Knowing that it can hit some place like this, I’ll be a little more cautious.”

Other shoppers said they typically try to protect themselves by using credit cards sparingly online. Isabel Lee said she would consider ordering a credit card with photo identification on it.

Most of the customers,  however, seemed resigned to the reality of credit card information theft. “I had my own business,” said Hillary Lake, “And I know, things like that happen unfortunately with technology today.”

One man was even more confident. “Capitalism needs the credit system,” said Steven Lee, “So if there’s a couple [people] who steal, that’s not going to stop society from commerce.”

The nation's largest bookseller late Tuesday disclosed the data breach in stores in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island, and warned customers to check for unauthorized transactions and to change their personal identification numbers, or PINs.

B&N said only one device, or PIN pad, was tampered with in each store, affecting less than 1 percent of these devices in its stores. It released a complete list of locations that were affected. All the PIN pads in its nearly 700 stores nationwide were disconnected on Sept. 14, after the company learned of the tampering.

In a news release issued Wednesday, B&N said the criminals planted bugs in the tampered devices, allowing for the capture of credit card and PIN numbers. The company said the problem was discovered last month and all affected PIN pads were shut off by Sept. 14. It did not say how long they were in use before they were discovered.

B&N said that it's continuing to work with federal law enforcement and with banks, payment card brands and issuers to identify accounts that may have been compromised, so that additional fraud-protection measures can be taken.

Customers at its book stores will now have to ask cashiers to swipe credit or debit cards on card readers connected to cash registers, a process that is secure, Barnes & Noble said.

Anything bought on Barnes & Noble.com or with the chain's Nook devices and app were not affected, the company said. It also said its customer database is secure.

Barnes & Noble is only the latest major retailer to be a victim of a serious data breach. In one of the largest, more than 45 million credit and debit cards were exposed to possible fraud because of hackers who broke into the computer system of TJX Cos., the parent company of retailers T.J. Maxx and Marshall's, starting in 2005.