Breach, Data Security

In Barnes & Noble skimming case, federal judge dismisses plaintiffs’ class-action suit

A federal judge in Illinois has tossed a class-action lawsuit against Barnes & Noble, after plaintiffs failed to demonstrate loss or injury as a result of a PIN pad tampering incident last year.

Judge John Darrah granted the bookseller's motion to dismiss the case last Tuesday, and highlighted major holes in the claims made by four Barnes & Noble customers who said they were impacted by the breach.

In Sept. 2012, Barnes & Noble, the country's largest book retailer, removed PIN pads from all of its nearly 700 stores nationwide after tampered devices were discovered at 63 locations in Illinois, New York, New Jersey, California, Massachusetts, Florida, Pennsylvania, Rhode Island and Connecticut.

There was a six-week delay between the time the company become aware of the breach and when it made the announcement last October that bandits planted bugs in its PIN pad devices to steal customer credit and debit card information via skimming fraud.

As a result, plaintiffs in Illinois – Susan Winstead, Ray Clutts and Jonathan Honor – along with California resident Heather Dieffenbach, filed claims against Barnes & Noble late last year.

According to Judge Darrah's filed opinion and order on the case, the plaintiffs claims include a range of damages caused by the breach, including untimely and inadequate notification of the security breach, improper disclosure of their personal identifying information (PII), loss of privacy, expenses as a result of mitigating identity theft or fraud, and time lost as a result of minimizing their risk of identity theft. In addition, the plaintiffs alleged the incident caused the “deprivation” of their PII's value, and personal anxiety and emotional distress, the court document said.

Despite these claims, Winstead was the only plaintiff who experienced fraudulent activity on her credit card account after the skimming incident, Darrah found.

The judge dismissed the plaintiffs' claims on the basis that they failed to prove how they suffered injury or loss, primarily, because there was no substantial evidence their data was stolen in the breach.

Even in Winstead's case, it was “not directly apparent that the fraudulent charge was in any way related to the security breach at Barnes & Noble,” court documents said. Winstead never showed that her credit card company or bank failed to reimburse her for the fraudulent charge, which is necessary “in order to have suffered an actual injury,” the judge said. reached out to Barnes & Noble, but did not immediately hear back.

The company has yet to release details on how saboteurs were able to access its PIN pad devices, or whether criminals exploited a vulnerability to attempt skimming fraud.

Last November, a Barnes & Noble spokewoman declined to provide additional details on the brand or model of PIN pads that was removed from its stores. The FBI, which was investigating the incident, also provided no further information.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.