PIN pad devices at more than 60 Barnes & Noble locations were compromised by hackers, according to the giant book dealer. Local and federal authorities have been called in to investigate.
There is no word yet as to how many, if any, credit card numbers were stolen; however, the company processes millions of credit card transactions a month. The fraud was discovered on September 14, but government officials advised that the company keep the information quiet until preliminary investigations were completed.
“Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store,” according to a release. “The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases. This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
The company stated that data thieves inserted a “bug” in the devices allowing them to steal credit card numbers and PIN security numbers. Oddly enough, only one device per store was detected, but the thieves were prolific, having tampered with PIN pads in stores located as far apart as New York and California.
To rectify the situation, Barnes & Noble removed all PIN pad devices from its stores. Customers must now hand over their card to the cashier to have it swiped directly at the register.
This situation is particularly worrisome as more and more stores move to self-service and mobile style POS checkouts. Much has been made about the security benefits of not having the card leave the consumers sight, but as this situation shows, criminals can still capture data through other means.
Barnes & Noble did not reveal how the data was stolen from the POS. The New York Times noted that it could have been done by malicious code or malware.