Barnes & Noble POS Hack

The point of sale stations at 63 Barnes & Noble stores around the the United States have been the target of a data breach, according to the New York Times.

The attack may have started as early as September 14, 2012, and the company is now facing criticism that it should have disclosed the data breach earlier. However, state legislation and PCI allow a company to conduct an investigation and act in accordance with law enforcement before disclosing to the public any breaches. The company said it took the extraordinary step of sending all 7,000 keypads from each of its stores to one location for digital forensic analysis. The company found only one keypad in each of the 63 stores had been compromised, not all of them. Additionally, states and PCI make exceptions in cases where the data was encrypted. No word whether that was case here.

As a result none of the stores have consumer-facing PIN pads; if customers want to pay with credit, the cashier has to swipe the card instead.

An attack of this time requires coordination. Someone would have to be physically present at the store and able to introduce malicious code into the point of sale terminal PIN pad. The fact they only targeted on terminal in store with many suggests a sophisticated campaign, with agents all across the country operating in a coordinated attack.