Barnes & Noble PIN Pad Devices Hit By Hackers

by Mintz Levin - Privacy & Security Matters

[author: Cynthia Larose]

As the New York Times reports, Barnes & Noble disclosed this week that it learned over one month ago – on September 14 – that hackers broke into point of sale PIN pad devices at 63 Barnes & Noble stores around the country and stole credit and debit card information for customers who had made purchases at those stores.  The bookseller notified credit card companies that affected accounts might be compromised, but did not notify customers or publicly acknowledge the breach until today.  The reason for the delay?  According to the Times, Barnes & Noble agreed not to publicize the breach at the request of federal investigators, who were concerned that publicity would hamper investigation of the breach.  The company stated that it received two letters from the U.S. Attorney’s Office for the Southern District of New York indicating that disclosure of the breach would not be required, and Barnes & Noble proceeded accordingly.

The security breach affected stores in New York, Pennsylvania, California, New Jersey, Connecticut, Florida, Rhode Island, Illinois, Massachusetts and Rhode Island.   According to the company, the hack did not affect the customer database and purchases made at, on the company’s NOOK tablet reader devices, or through NOOK mobile apps were not affected.

The breach resulted from a sophisticated effort to capture customer data at the point of sale.  According to a press release issued by Barnes & Noble, the hackers placed bugs on the point of sale PIN pad devices that customers use to swipe their own credit and debit cards for purchases at the stores.  The bugs allowed the hackers to record users’ card number and PIN information. Use of the PIN pads was discontinued at all Barnes & Noble stores when it learned of the breach on September 14.  The press release identifies the stores from which data was stolen but does not say how the breach was discovered.

If this method of obtaining cardholder information sounds familiar, it is because you have been paying attention.   The Barnes & Noble hack is eerily similar to one last year at Michaels, the craft store chain, a breach at discount grocer Aldi in 2010, and even back to a 2007 breach at Stop & Shop stores.

Regular visitors to this blog will be familiar with our consistent guidance that prompt customer notification, which is mandated by the laws of many states, is ordinarily the best course of action after a data breach has been discovered.  In this case, however, it appears that it was reasonable for Barnes & Noble to comply with the investigators’ request to delay notice to customers.  In particular, prompt notice of the breach to card issuers would have minimized the risk that the hackers could misuse the credit card and debit card information.  According to the New York Times, “[a] high-ranking official for the company said that hackers had used information from some customers’ credit cards to make unauthorized purchases, but that activity had mainly occurred in September and had declined in recent weeks.”   However, it is also common for law enforcement to specifically request that companies refrain from providing notice — particularly when the only reasonable form of notice is by public press release — in order to avoid tipping off fraudsters engaging in the skimming caper.

Ultimately, the determination of whether an ongoing investigation justifies non-disclosure of a data breach will depend on the specific facts and circumstances of that breach and should be made in consultation with counsel knowledgeable about applicable privacy laws and regulations.    Remember, if you rely on a “law enforcement exception” to delay notification of a breach, you’d best have solid backup for the claim — and documentation of such is required under some state laws.

Better yet, to avoid the next big data breach, an article in the Chicago Sun-Times says “use cash.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin - Privacy & Security Matters | Attorney Advertising

Written by:

Mintz Levin - Privacy & Security Matters

Mintz Levin - Privacy & Security Matters on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.