Hackers were able to breach more than 60 Barnes & Noble (BKS) stores, including locations in New York City, Miami, San Diego and Chicago, and obtain credit card information, according to a report from The New York Times. The information is believed to have been stolen from keypads at store registers where customers swipe their cards and enter their pin numbers. Customers who have used the company’s website, mobile application and college bookstores were not affected by the breach, though. Barnes & Noble discovered that information had been stolen around September 14th, however the company has reportedly kept the matter under wraps at the request of the Justice Department so the FBI could investigate the attacks.
“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied,” an official, who asked not to be identified, said to the Times.
In response to the breach, Barnes & Noble has disabled and examined all 7,000 keypads in its stores. The company also acknowledged the incident and said that as a precaution, customers who used their cards at any of the 63 Barnes & Noble locations should change their PINs and scan their accounts for unauthorized charges.
Barnes & Noble did not offer additional information regarding how the data was stolen, however security experts have theorized various ways that the incident could have occurred. The attack might have come from a company insider inserting malicious code into the system, or perhaps an unsuspecting employee clicked on a malicious link that installed malware, giving unauthorized access to the company’s point-of-sale systems.