Barnes & Noble on Tuesday advised customers to be on the lookout for identity theft after the bookseller said hackers stole credit card data from 63 of its stores.
The national bookstore chain said in a statement it “found evidence of tampering” in electronic devices used to process debit and credit card transactions. The company said it was working with banks and credit card companies to identify accounts that may have been compromised so it can employ enhanced fraud security measures on "potentially impacted accounts."
The breaches occurred in Barnes & Noble stores from California to Florida, including Chicago and New York, the company said. A list of the stores affected by the breach can be found here. Barnes & Noble said it disconnected all of the devices, which allow customers to swipe their debit and credit cards at checkout counters, on Sept. 14 and notified the FBI and the U.S. attorney's office in the Southern District of New York.
Barnes & Noble spokeswoman Mary Ellen Keating told The Huffington Post that authorities asked the bookseller to keep quiet about the breach until now “in order not to impede investigation.” She did not comment on how the breach occurred.
The FBI and U.S. attorney's office couldn't immediately be reached Tuesday night.
“Customers can make transactions securely today by asking booksellers to swipe their credit and signature debit cards through the card readers connected to cash registers,” Barnes & Noble said in a statement.
A Barnes & Noble official told The New York Times that hackers had made unauthorized purchases using data from customers' credit cards.
The bookseller said purchases made on its website or via its e-reader, Nook, were not affected.
Barnes & Noble advised customers who shopped at the 63 stores to change the PIN numbers on their debit cards and review their accounts for unauthorized transactions.
Security breaches involving credit card processors -- also called “point of sale” terminals -- are not unusual, but are becoming more sophisticated.
In March, Verizon's Data Breach Investigations Report found that organized criminal groups have been swapping legitimate credit and debit card processors with their own devices that look identical but can capture credit card data. The report found that more than half of security breaches last year occurred at restaurants, and about 20 percent took place at retail stores.
Last year, authorities alleged that Romanian hackers had stolen payment card data from credit card processing machines at hundreds of small businesses, including more than 150 Subway restaurant franchises. Last month, two of the hackers pleaded guilty and one was sentenced to seven years in prison.