The breach was discovered in mid-September, but has only now been publicly disclosed. The company says that its customer database is secure, but that any customers who used the PIN pads prior to to 14 September should change their PINS and monitor their accounts. The FBI’s New York field division is investigating the breach.
There is some confusion over why more details haven’t been given to affected customers. The New York Times quotes an unnamed official from Barnes and Noble saying, “We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied.” The newspaper also reports that the company has received two letters from the US attorney’s saying that “it did not have to report the attacks to its customers during the investigation,” and that it “could wait until Dec. 24 to tell the customers.”
But whether by direction or invitation, Barnes and Noble is still releasing little information and no suggestion on how the attack was undertaken. What is clear is that the simultaneous breach of 63 separate stores is a complex operation. “This is no small undertaking,” Edward Schwartz, the chief security officer at RSA told the NYT. “An attack of this type involves many different phases of reconnaissance and multiple levels of exploitation.” Insider involvement cannot be ruled out.
Meanwhile, Barnes and Noble has stressed that its college bookstores and online purchases are unaffected.