Barnes & Noble stores targeted by hacking operation

By Jennifer Martinez - 10/24/12 05:51 PM ET

Book retailer Barnes & Noble on Wednesday disclosed that PIN pad devices used in 63 of its stores had been compromised as part of a sophisticated criminal operation aimed at stealing customers' financial information.

The bookseller said criminals had inserted malicious bugs into the PIN pad devices customers use to swipe their credit and debit cards through when making purchases. The bugs were able to steal customers' credit card and PIN numbers when they used the devices.

One compromised device was found in each of the 63 affected stores, according Barnes & Noble. After it discovered the breach, the company said it notified law enforcement authorities and disconnected all PIN pad devices in its stores by Sept. 14.

Barnes & Noble said a federal investigation into the incident is under way. The affected stores are spread across nine states, including California, New York, Florida and Illinois. The book retailer said it has also conducted its own investigation and inspected every PIN pad device in its stores.

"Barnes & Noble is continuing to assist federal law enforcement authorities in this matter," the company said in a statement. "In addition, the company is working with banks, payment card brands and issuers to identify accounts that may have been compromised, so banks and issuers can employ enhanced fraud security measures on potentially impacted accounts."

Book purchases made at Barnes & Noble's college bookstores and on its website, NOOK e-book devices and mobile apps were not affected, according to the company.

One cybersecurity expert warned that hackers are increasingly targeting retailers in their crosshairs.

"Organized crime has adopted hacking as a business model and are acutely aware that retailers' security is inferior to bank security, and thus are training their cyber guns against major retailers," said Tom Kellermann, vice president of cybersecurity at TrendMicro. "These retailers are over-relying on encryption to protect their networks."

The breach was first reported by The New York Times.

Customers who used their cards at one of the affected stores should review their bank accounts for suspicious transactions and immediately notify their bank if they spot any unauthorized purchases, Barnes & Noble advised. The company also encouraged debit card owners to change their PIN combinations.