The company didn’t announce the breach or inform customers. A spokesman acknowledged the issue in response to questions but defended not alerting the public earlier due to a request from the U.S. Justice Department to allow the FBI time to investigate. In a letter, Justice gave the firm until Dec. 24 to warn its customers about the breach.
Barnes & Noble did inform credit card companies that some accounts might be compromised. The spokesman also said the company is aware that some of the card numbers stolen were used to make fraudulent purchases.
The hack was performed by penetrating one credit card pad in each of the 63 stores targeted. On that pad, customers who swiped their cards and entered a PIN had their information recorded and sent to the perpetrators. In response, B&N deactivated all of its credit card pads and had them examined. The devices have not been reinstalled.
The company said only the stores involved were exposed. Customers at other B&N locations, such as college bookstores, its website and its Nook store aren’t at risk.