Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

“Fifty Shades of Gray” from a Barnes & Noble Could Have You Seeing Red. Credit Card Breach at Stores Across USA.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

“Fifty Shades of Gray” to “Diary of a Wimpy Kid” — the subject matter didn’t matter to the cyberthieves who hacked into Barnes & Noble store keypads in 63 Barnes & Noble outlets around the country, including stores in New York City, San Diego, Miami and Chicago. The compromised keypads were located at the checkout in front of the registers, and customers used them to swipe their credit cards and enter personal identification numbers (PINs).

When it learned of the attack, Barnes & Noble turned off all 7,000 keypads at its stores and had them shipped to a location where the company determined that only one keypad in each of the 63 outlets had been hacked. However, the devices have not been reinstalled, so customers choosing to use credit and debit cards have to ask cashiers to swipe their cards on readers connected to the registers.

According to a story in The New York Times, despite the fact that most states “require that companies notify customers of a breach if their names are compromised in combination with other information such as a credit card, a Social Security number or a driver’s license number, (Barnes & Noble did not tell its customers about the attack.)” The story noted that some states exempt companies from informing customers when the customer information is encrypted. In any event, Barnes & Noble did tell credit card companies that certain accounts might have been compromised.

The company pointed out another reason customers weren’t informed. Said one company official, “We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied.”

Additionally, The Times reported, “The company has received two letters from the United States attorney’s office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation, according to the official. At least one of the letters said that the company could wait until December 24 to tell the customers.”

When word of the attack came out, customers were told that as a precaution, if they’d used their credit cards at any of the 63 Barnes & Noble stores, they should change their PINs and check their accounts for unauthorized use. And, one company official did say hackers had made some purchases using the stolen information.

The good news? Well sort of. Material purchased at Barnes & Noble’s college bookstores and on, as well as Nook, Nook mobile apps and its member database weren’t affected.

So, how was the system breached? Sourcing security experts, The Times says, “a company insider could have inserted malicious code, or criminals could have persuaded an unsuspecting employee to click on a malicious link that installed malware, giving the perpetrators a foothold into Barnes & Noble’s point-of-sale systems.”

Tom Kellermann, an expert in security said, “Attacks on point-of-sale systems are growing exponentially (in large part, because encryption no longer provided a deterrent for skilled hackers.)“

By ThreatMetrix Posted