Barnes & Noble discloses breach involving pin pads at dozens of stores (update2)
Remember when Michael’s Stores found that pin pads in some stores had been replaced? It looks like the same thing has happened to bookseller Barnes & Noble’s brick and mortar stores. According to the New York Times, the firm discovered the breach on September 14. As of now, it appears that pads at 63 stores were tampered with in the following states: California, Connecticut, Florida, New York, New Jersey, Rhode Island, Massachusetts, Illinois, and Pennsylvania. There have reportedly been some claims of fraudulent use of card numbers associated with the breach.
So when will B&N send notifications to consumers – or won’t they? They did notify card issuers, and if all B&N has is name and card number, they may leave it to the card issuers to notify customers. The chain does suggest changing your PIN number, but doesn’t indicate how far back this breach might go. They do say that most fraudulent charges occurred in September.
Although the breach was detected on September 14, initial disclosure was delayed so as not to interfere with the government investigation. That’s understandable and permissible, but consider this:
The company has received two letters from the United States attorney’s office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation, according to the official. At least one of the letters said that the company could wait until Dec. 24 to tell the customers.
Where did the USAO get that December 24th date? Were they asked specifically if they could delay that long so as not to interfere with holiday sales, or was the USAO guestimating how long the investigation would take or….?
There is no notice on B&N’s web site at the time of this posting.
Update 1: Their notification and press release are now up on California AG’s web site. I suspect media coverage resulted in the customer notification letter which is dated today.
Update 2: And now CT’s AG Jepsen has opened an investigation.
Image credit: Barnes & Noble by phototakeouterBX/Flickr.