Hacker News: Inside the Barnes & Noble Data Breach
Hackers have stolen credit card information from 63 Barnes & Noble stores across the US, reported the New York Times yesterday. The hackers responsible for the theft stole the information by accessing keypads at checkout counters that are used to enter personal identification numbers (PINs) when customers make debit card purchases. Barnes & Noble is advising customers who have made purchases at one of their stores in the last month to change their PINs and check bank accounts for unauthorized transactions. It’s been reported that most unauthorized purchase activity occurred in September when the breach happened, but has since declined.
Learn more about the Barnes and Noble data breach below:
Delayed Breach Reporting
Why didn’t we know about the hack a month ago? The Justice Department apparently requested that Barnes & Noble not disclose the breach to the public so the FBI could have time to determine the hackers behind the theft. Barnes & Noble did however say that it had informed credit card companies of possible “risk” accounts that could have been breached. An official spokesperson for the stores upheld that the information was not disclosed to customers and the public due to the Justice Department’s request.
During the investigation, the company reportedly turned off all 7,000 keypads in its stores and shipped them to a remote site for examination. It appeared that only one keypad in each of the 63 breached stores had been hacked. Barnes & Noble has yet to reinstall the devices, presumably in an effort to prevent repeat attacks. Currently the stores are using register swipes by employees to charge credit or debit cards.
Loss of Personally Identifiable Information
Most states due to PCI compliance standards require a company to notify customers of a breach if sensitive information has been stolen, such as a Social Security number, credit card number or a driver’s license number. The standard is only applicable however if the information that was stolen was unencrypted. Because the credit card numbers in the Barnes & Noble stores had been encrypted, the company was not legally obligated to disclose the breach.
Chief Security Officer of RSA, Edward Schwartz, said that the breach was “no small undertaking. An attack of this type involves many different phases of reconnaissance and multiple levels of exploitation.” Barnes & Noble did not offer detailed information about how its network was penetrated, but it could have through a variety of different channels. An employee could have inserted malicious code, or clicked on a link containing malware, either of which would permit the installation of malware into the company’s point-of-sale systems.
What businesses can learn from this incident is that hackers are getting extremely sophisticated in their methods to obtaining critical personal information. Every few months there seems to be another security breach that disrupts business regardless of the breach’s magnitude. This recent breach happened to a national retailer with stores in almost every major city across the United States - a once daunting target for hackers. Kellerman said that point-of-sale breaches are growing in popularity in large part because encryption no longer acts as a deterrent for skilled hackers. We saw similar means of accessing credit card information with the recent breach on Subway restaurants only a few months ago. At this rate, organizations may be forced to implement stronger security measures to keep critical data safe. For more information about securing your employees, reach out to iCorps for a free consultation.