Book seller Barnes & Noble
confessed that customers who have shopped recently in one of 63 stores in the US may have credit card information stolen. The company had discovered about September 14 that one PIN entry pad in each of its retail store had been broken into by hackers. The company defended its decision to not inform the public until now, saying that it had informed credit card companies that accounts had been compromised, and the US attorney's office from New York said that it could wait until December 24 to tell customers.
After determining that security had been compromised, Barnes and Noble turned off all 7,000 keypads and had them shipped to a security company to determine the nature of the break-in. "Right now, we have no PIN pads in any stores and we are O.K. with that," a company official said.
"Customers can make transactions securely today by asking booksellers to swipe their credit and signature debit cards through the card readers connected to cash registers," Barnes & Noble said in a statement. The company said its customer database is secure. Purchases made on the Barnes & Noble website, Nook e-reader and Nook mobile apps are not affected.
"This is no small undertaking," said Edward Schwartz, the chief security officer at data protection company RSA. "An attack of this type involves many different phases of reconnaissance and multiple levels of exploitation."
A list of the 63 stores with cracked PIN entry pads is not available. Barnes & Noble is still weighing whether to contact individual customers affected by the breach.