DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Barnes & Noble discloses breach involving pin pads at dozens of stores (update2)

Posted on October 24, 2012 by Dissent

Remember when Michael’s Stores found that pin pads in some stores had been replaced?  It looks like the same thing has happened to bookseller Barnes & Noble’s brick and mortar stores.  According to the New York Times,  the firm discovered the breach on September 14. As of now, it appears that pads at 63 stores were tampered with in the following states: California, Connecticut, Florida, New York, New Jersey, Rhode Island, Massachusetts, Illinois, and Pennsylvania. There have reportedly been some claims of fraudulent use of card numbers associated with the breach.

So when will B&N send notifications to consumers – or won’t they? They did notify card issuers, and if all B&N has is name and card number, they may leave it to the card issuers to  notify customers. The chain does suggest changing your PIN number, but doesn’t indicate how far back this breach might go. They do say that most fraudulent charges occurred in September.

Although the breach was detected on September 14, initial disclosure was delayed so as not to interfere with the government investigation.  That’s understandable and permissible, but consider this:

The company has received two letters from the United States attorney’s office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation, according to the official. At least one of the letters said that the company could wait until Dec. 24 to tell the customers.

Where did the USAO get that December 24th date? Were they asked specifically if they could delay that long so as not to interfere with holiday sales, or was the USAO guestimating how long the investigation would take or….?

There is no notice on B&N’s web site at the time of this posting.

Update 1:  Their notification and press release are now up on California AG’s web site.  I suspect media coverage resulted in the customer notification letter which is dated today.

Update 2: And now CT’s AG Jepsen has opened an investigation.

Image credit: Barnes & Noble by phototakeouterBX/Flickr.

Related posts:

  • Heartland in $60 mln settlement agreement with Visa
  • (update) Michaels Stores finds tampered PIN pads in 20 states
Category: Breach IncidentsBusiness SectorOf NoteSkimmersU.S.

Post navigation

← Survey on privacy and healthcare fraud seeks participants
174 million records compromised in 855 data breach incidents last year, says report →

2 thoughts on “Barnes & Noble discloses breach involving pin pads at dozens of stores (update2)”

  1. IA Eng says:
    October 26, 2012 at 7:39 am

    To me, the so-called Dec. 24th date is the last possible date for shopping for the holidays. Looks like if that were to hold true, the governments’ potential position was, presumably to protect the companies bottom line – the almighty dollar.

    I am sure it takes a bit to collect data, and if the breach is discovered, the horde of investigators were/are probably digging though logs from many sources, including router hops along the way. If they are quick, and greed is still there, they may have waited to see if the illegal activity was still going on.

    Unless the people responsible for the illegal activity are very good, they are going to be standing in front of a judge. Look at all the major cases that have caught the evil. It happens – alot.

    Unless people are willing to take that huge wad of cash and live somewhere that is either war-torn, poverty or otherwise out of reach from US authorities, they will be caught.

    Now on a breach like this, who tracks what cards got whackd and which did not? Its good that people are opening up and letting the feds/govt know, but unless all cards are replaced, some other information may be compromised. Like they say about OPSEC, all it takes is pieces here and there before you go from a puzzle to a picture. I am sure people have spreadsheets with missing information, and take other sheets and fill in blanks. More reliable the info the higher it sells.

    Lets hope the US govt has a similar ist of information that is used for investigative purposes only. There is alot of information in any data that is passed from person to person. It will be relatively easy to snag the bottom feeders. Time will tell if they actually get the actual people who violated B&N.

  2. anony says:
    October 26, 2012 at 2:10 pm

    http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.