Barnes & Noble Reveals PIN Pad Tampering Breach at Nearly 9 Percent of Its Stores

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

National bookseller chain Barnes & Noble Inc. Oct. 24 revealed that it had discovered tampering with personal identification number pads used to process payment card transactions at 63 stores.

It is not clear from the company's statement when the tampering was discovered, but it did say that after discovering that “bugs” had been planted in some devices, it disconnected all PIN pads in its stores by the close of business Sept. 14.

The company said in a statement that it is working with law enforcement in an ongoing investigation of the breach.

“Not a New Trick.”

“This is not a new trick,” Heather Sussman, a partner at McDermott Will & Emery LLP, in Boston, told BNA Oct. 24, adding that “it is becoming harder to detect due to increasingly sophisticated thieves.”

In May 2011, arts and crafts retail giant Michaels Stores Inc. announced that it had fallen victim to a similar scheme and had removed all of its PIN pads from service (10 PVLR 775, 5/23/11). Of the thousands of potentially compromised payment cards that were skimmed by thieves, only 100 were actually used for fraudulent purposes, Michaels said at the time.

Michaels continues to face consumer class lawsuits alleging that it failed to provide adequate data security (10 PVLR 1734, 12/5/11). The Federal Trade Commission, however, decided not to recommend a data security enforcement action against the company (11 PVLR 1140, 7/16/12).

Customer Database, Online Purchases Not at Risk.

The 63 stores affected represent approximately 9 percent of the chain's nearly 700 stores, but an internal investigation of all of its PIN pads showed that only one PIN pad in each of the stores was affected, the company said. That means fewer than 1 percent of all PIN pads in stores across the country were affected, Barnes &Noble said.

The company said that its investigation concluded that its customer database was not compromised by the attempt to collect card number and PIN data from debit and credit cards swiped on the compromised card readers.

No purchases made with payment cards through the company's website or using its e-book readers were at risk, the company said.

The affected stores were located in nine states: California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island.

A list of the Barnes & Noble stores where a PIN pad device was found to have been tampered with is available at

Request Bloomberg Law: Privacy & Data Security