Remember when Michael’s Stores found that pin pads in some stores had been replaced? It looks like the same thing has happened to bookseller Barnes & Noble’s brick and mortar stores. According to the New York Times, the firm discovered the breach on September 14. As of now, it appears that pads at 63 stores were tampered with in the following states: California, Connecticut, Florida, New York, New Jersey, Rhode Island, Massachusetts, Illinois, and Pennsylvania. There have reportedly been some claims of fraudulent use of card numbers associated with the breach.
So when will B&N send notifications to consumers – or won’t they? They did notify card issuers, and if all B&N has is name and card number, they may leave it to the card issuers to notify customers. The chain does suggest changing your PIN number, but doesn’t indicate how far back this breach might go. They do say that most fraudulent charges occurred in September.
Although the breach was detected on September 14, initial disclosure was delayed so as not to interfere with the government investigation. That’s understandable and permissible, but consider this:
The company has received two letters from the United States attorney’s office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation, according to the official. At least one of the letters said that the company could wait until Dec. 24 to tell the customers.
Where did the USAO get that December 24th date? Were they asked specifically if they could delay that long so as not to interfere with holiday sales, or was the USAO guestimating how long the investigation would take or….?
There is no notice on B&N’s web site at the time of this posting.
Update 1: Their notification and press release are now up on California AG’s web site. I suspect media coverage resulted in the customer notification letter which is dated today.
Update 2: And now CT’s AG Jepsen has opened an investigation.
Image credit: Barnes & Noble by phototakeouterBX/Flickr.
To me, the so-called Dec. 24th date is the last possible date for shopping for the holidays. Looks like if that were to hold true, the governments’ potential position was, presumably to protect the companies bottom line – the almighty dollar.
I am sure it takes a bit to collect data, and if the breach is discovered, the horde of investigators were/are probably digging though logs from many sources, including router hops along the way. If they are quick, and greed is still there, they may have waited to see if the illegal activity was still going on.
Unless the people responsible for the illegal activity are very good, they are going to be standing in front of a judge. Look at all the major cases that have caught the evil. It happens – alot.
Unless people are willing to take that huge wad of cash and live somewhere that is either war-torn, poverty or otherwise out of reach from US authorities, they will be caught.
Now on a breach like this, who tracks what cards got whackd and which did not? Its good that people are opening up and letting the feds/govt know, but unless all cards are replaced, some other information may be compromised. Like they say about OPSEC, all it takes is pieces here and there before you go from a puzzle to a picture. I am sure people have spreadsheets with missing information, and take other sheets and fill in blanks. More reliable the info the higher it sells.
Lets hope the US govt has a similar ist of information that is used for investigative purposes only. There is alot of information in any data that is passed from person to person. It will be relatively easy to snag the bottom feeders. Time will tell if they actually get the actual people who violated B&N.
http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html