Barnes & Noble confirms compromised PIN pads leaked credit card data in 63 stores

Bookseller Barnes & Noble has confirmed that PIN pads in 63 of its stores were compromised to collect credit or debit card information. In a press release this morning, the company said it found one compromised pad in each of the stores, which were spread across California, Florida, New York, and five other states. Each affected pad had a device attached to surreptitiously record data when customers swiped their cards, a common technique that in this case appears to have been part of a coordinated plan. The news was first reported by The New York Times, which quoted an anonymous Barnes & Noble official as saying that it had found evidence of unauthorized purchases throughout September, but that reports had dropped off recently.

While it took steps to stop the breach, Barnes & Noble apparently did not notify customers directly because of an ongoing FBI investigation. In its statement, the company downplayed the extent of the problem, saying that the tampering had affected “fewer than 1 percent of PIN pads” in its roughly 700 US retail stores. Since September 14th, it’s discontinued use of all retail store pads, asking cashiers to process cards directly from the register. None of its college bookstores appear to have been affected. If you’ve used a card at one of the locations listed, Barnes & Noble recommends you review your credit card or bank statement and — for debit users — change your PIN. We’ve reached out to the company and will update if there’s any word on how many people were affected or who was behind the hack.

Update: A Barnes & Noble spokesperson has responded, saying that it “cannot comment beyond [its] release due to ongoing FBI investigation.”