Breach, Data Security, Network Security

Barnes & Noble customers file lawsuits after breach

Victims of a PIN pad tampering incident, which compromised customer information at dozens of Barnes & Noble stores, have filed three class-action lawsuits against the nation's largest book retailer.

In response to the breach, on Sept. 14, the company removed PIN pads from all of its nearly 700 stores nationwide after tampered devices were discovered at 63 locations in Illinois, New York, New Jersey, California, Massachusetts, Florida, Pennsylvania, Rhode Island and Connecticut.

Because of an FBI investigation, the retailer said it waited until Oct. 24 to make the announcement that bandits “planted bugs” in PIN pad devices to steal customer credit and debit card information through skimming fraud.

On Friday, two Illinois residents, Jonathan Honor and Ray Clutts, jointly filed a class-action complaint on behalf of themselves and others similarly impacted by the breach, alleging that Barnes & Noble waited too long to notify customers and that it also failed to individually contact those whose information was stolen.

The suit also cites Barnes & Noble's alleged “failure to protect its customers' personal financial data, including but not limited to credit and debit card information and person identification [PIN] numbers.”

Jeffrey Leon, an attorney representing plaintiffs Clutts and Honor, told on Tuesday that his clients know no more than what Barnes & Noble has released to the public.

“All we know is what Barnes & Noble has stated publicly – and that's the problem,” Leon said. “Barnes & Noble has not told people if their cards were used at one of the pads that had been compromised.”

He added that the company's suggestion that people who swiped their cards at the affected stores change their PINs was "overbroad" guidance.

Meanwhile, a week earlier, on Oct. 27 and Oct. 29, Illinois residents Elizabeth Nowak and Susan Winstead each filed individual class-action complaints as a result of the breach.

Winstead's complaint alleged that her credit card company called her in late September about a suspicious transaction, which led her to deactivate her credit card.

In a statement released Oct. 24, Barnes & Noble said that “evidence of tampering” was shown on one PIN pad in each affected store.

A company spokeswoman on Tuesday declined to provide additional details on the brand or model of PIN pads the chain used, as did a spokeswoman at the FBI, citing the ongoing investigation.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.