Hackers Compromise Barnes and Noble PIN Pads

Barnes & Noble today announced that it detected tampering with PIN pad devices at 63 of its stores. In response, the company has temporarily discontinued use of PIN pads at all of the company’s stores nationwide, and has notified federal law enfrocement authorities.

“The security breach was first discovered on September 14, but the retailer did not make the information public at the request of government agencies, which are now investigating the matter,” writes TechHive’s Daniel Ionescu.

“The tampering, which affected fewer than 1 percent of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases,” the company said in a statement. “This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”

“[Barnes & Noble] does not name the manufacturer of the affected PIN pads, whether they came out of the box affected, or if someone physically walked into the 63 locations and hacked the devices on site,” notes Threatpost’s Brian Donohue. “It does not describe the ways in which the devices were manipulated nor does it go into any detail regarding the number of affected consumers.”

“Barnes & Noble said the compromise was limited to one tampered PIN pad device at each of the 63 stores,” writes Computerworld’s Jaikumar Vijayan. “The company did not say how many customers may have been affected by the compromise or why it waited for more than a month to disclose the breach.”

“Last year, the Michaels art-supply chain revealed that nearly 90 PIN pads had been tampered with at dozens of retail outlets in 20 states,” writes TechNewsDaily’s Paul Wagenseil. “Michaels has not disclosed whether the persons behind the tampering have been apprehended.”

“It would be nice it we could trust large retailers like B&N to have secure payment processing systems, but we can’t,” writes Sophos’ Lisa Vaas. “That means all we can do is keep an eagle eye on our credit card and debit card statements. Or then again, we can just pay with cash, antiquated notion that it is.”

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles