DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Barnes & Noble discloses breach involving pin pads at dozens of stores (update2)

Posted on October 24, 2012 by Dissent

Remember when Michael’s Stores found that pin pads in some stores had been replaced?  It looks like the same thing has happened to bookseller Barnes & Noble’s brick and mortar stores.  According to the New York Times,  the firm discovered the breach on September 14. As of now, it appears that pads at 63 stores were tampered with in the following states: California, Connecticut, Florida, New York, New Jersey, Rhode Island, Massachusetts, Illinois, and Pennsylvania. There have reportedly been some claims of fraudulent use of card numbers associated with the breach.

So when will B&N send notifications to consumers – or won’t they? They did notify card issuers, and if all B&N has is name and card number, they may leave it to the card issuers to  notify customers. The chain does suggest changing your PIN number, but doesn’t indicate how far back this breach might go. They do say that most fraudulent charges occurred in September.

Although the breach was detected on September 14, initial disclosure was delayed so as not to interfere with the government investigation.  That’s understandable and permissible, but consider this:

The company has received two letters from the United States attorney’s office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation, according to the official. At least one of the letters said that the company could wait until Dec. 24 to tell the customers.

Where did the USAO get that December 24th date? Were they asked specifically if they could delay that long so as not to interfere with holiday sales, or was the USAO guestimating how long the investigation would take or….?

There is no notice on B&N’s web site at the time of this posting.

Update 1:  Their notification and press release are now up on California AG’s web site.  I suspect media coverage resulted in the customer notification letter which is dated today.

Update 2: And now CT’s AG Jepsen has opened an investigation.

Image credit: Barnes & Noble by phototakeouterBX/Flickr.

Category: Breach IncidentsBusiness SectorOf NoteSkimmersU.S.

Post navigation

← Survey on privacy and healthcare fraud seeks participants
174 million records compromised in 855 data breach incidents last year, says report →

2 thoughts on “Barnes & Noble discloses breach involving pin pads at dozens of stores (update2)”

  1. IA Eng says:
    October 26, 2012 at 7:39 am

    To me, the so-called Dec. 24th date is the last possible date for shopping for the holidays. Looks like if that were to hold true, the governments’ potential position was, presumably to protect the companies bottom line – the almighty dollar.

    I am sure it takes a bit to collect data, and if the breach is discovered, the horde of investigators were/are probably digging though logs from many sources, including router hops along the way. If they are quick, and greed is still there, they may have waited to see if the illegal activity was still going on.

    Unless the people responsible for the illegal activity are very good, they are going to be standing in front of a judge. Look at all the major cases that have caught the evil. It happens – alot.

    Unless people are willing to take that huge wad of cash and live somewhere that is either war-torn, poverty or otherwise out of reach from US authorities, they will be caught.

    Now on a breach like this, who tracks what cards got whackd and which did not? Its good that people are opening up and letting the feds/govt know, but unless all cards are replaced, some other information may be compromised. Like they say about OPSEC, all it takes is pieces here and there before you go from a puzzle to a picture. I am sure people have spreadsheets with missing information, and take other sheets and fill in blanks. More reliable the info the higher it sells.

    Lets hope the US govt has a similar ist of information that is used for investigative purposes only. There is alot of information in any data that is passed from person to person. It will be relatively easy to snag the bottom feeders. Time will tell if they actually get the actual people who violated B&N.

  2. anony says:
    October 26, 2012 at 2:10 pm

    http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.