Compromised POS terminals found in 63 Barnes & Noble bookstores

Federal authorities are investigating a sophisticated scam that gave thieves access to customer payment card data at 63 Barnes & Noble bookstores, the company announced Wednesday.

Customers of those stores may have had their credit or debit card information stolen as recently as last month.

Stores affected by data breach

“This latest breach appears to be a physical manipulation of the card readers in order to gain both debit card details and their accompanying PINs,” says Gunter Ollmann, vice president of research at security firm Damballa.

The retail chain, which operates nearly 700 bookstores, said that federal law enforcement authorities have been informed of the breach and that it is supporting their investigation.

The company has discontinued use of PIN (personal identification number) pads in all of its stores, according to a Barnes & Noble news release. Debit card users who think their cards may have been compromised should change their PINs, the company says.


Barnes & Noble said bugs were implanted in PIN pads that enabled thieves to extract credit card and PINs. It detected tampering with one PIN pad device at each of the affected stores, located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island, the company said.

Ollmann says that it is unlikely that a series of card readers were compromised as they were being manufactured or distributed to the stores. “Only one reader per store was affected — which doesn’t smell of a supply chain problem.”

The perpetrators most likely had repeated access to either the card readers themselves or the supporting computer systems, or both, Ollmann says.

“Based upon what has been disclosed thus far by Barnes & Noble, this is an insider threat perpetrated by criminals who had physical access to the card readers,” Ollmann says.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone