Hackers planted bugs in a single card reader at 63 Barnes & Noble stores,… (Karen Bleier, AFP/Getty…)
Barnes & Noble, the country's largest bookseller, said data thieves hacked into payment devices and may have stolen customer credit and debit card information at 63 of its stores nationwide, including 20 in California.
Hackers planted bugs in a single card reader at each of the stores, the company said. Customers swipe their payment cards through the machines and, if using a debit card, enter their personal identification number.
Those PINs may be at risk, along with other account information, potentially giving thieves access to customers' private accounts.
Among the California locations hit were stores in Calabasas, San Diego and Chula Vista.
Though Barnes & Noble said fewer than 1% of the devices throughout its system were affected, the company said it disconnected all PIN pads in its nearly 7,000 stores after learning of the breach Sept. 14.
The chain's cashiers now process customer payment cards using more secure readers attached to cash registers, according to the company. Patrons of the targeted stores should check their accounts for unapproved transactions and change their PINs, the bookseller urged.
Hackers also tampered with machines in Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island.
Barnes & Noble said that it has completed an internal investigation into the "sophisticated criminal effort" and that federal authorities were looking into the crime.
"There is absolutely no indication that any Barnes & Noble employee was involved in this," said spokeswoman Mary Ellen Keating.
The company said it also is collaborating with banks, payment card brands and issuers to identify which customer accounts were attacked.
"This was an organized crime effort — a large group made a concerted effort to penetrate these stores," said Jim Butterworth, a fraud examiner and chief security officer with technology security company HBGary.
"It's not company insiders pulling something like this off," he said. "I don't think Barnes & Noble could have done anything above and beyond what it was already doing to prevent this."
The chain stressed that its customer database is safe and that purchases made through its website or using its Nook devices and app were unaffected.
The company's shares fell 11 cents, or 0.7%, to $15.21. They had fallen as much as 3% during regular trading Wednesday.
Though data breaches of retailer websites are well known, experts said the Barnes & Noble attack was unusual in that it happened in stores, not online.
"These [online] incidents are becoming fairly commonplace, and people might ignore most of them," said Los Angeles lawyer Timothy Toohey, whose practice covers stolen data and privacy protection. "But because this one involves brick-and-mortar transactions, it might hit a little closer to home."
Among the online breaches this year, 1.5 million passwords were stolen when online dating site eHarmony was hacked, not long after a similar attack on social network LinkedIn claimed 6.5 million passwords.
Last year, a breach exposed personal information and possibly credit card data of 77 million customers using Sony Corp.'s online PlayStation network. Analysts predicted the attack could end up costing Sony some $50 million in lost revenue, customer reimbursements and security defense.
In addition to the damage to its reputation, Barnes & Noble will probably face lawsuits from customers, Toohey said.
"People are increasingly sensitive about their privacy in a world where we share a lot of information," Toohey said. "There's been a drumbeat for the last few years over the necessity of data security, and yet you still see prominent companies falling prey."