No company is guarded from security threats. This seems to be the norm with hackers finding new targets every day, the latest being Barnes & Noble. It has come to light that hackers have stolen credit card information of customers who shopped at 63 Barnes & Noble stores across the country even as early as last month. These stores include the ones in New York City, San Diego, Miami and Chicago.
Although the breach was discovered on the 14th of September, the matter was kept secret at the request of the Justice Department so that the FBI could determine the hand behind these attacks. It has been reported that the information was stolen by hackers who broke into the keypads in front of registers where customers swipe credit cards and enter their Personal Identification Numbers (PINs).
Responding to questions about the attack, the company acknowledged it and said that as a precautionary measure, all customers who have shopped at any of the 63 Barnes & Noble stores which have been attacked, have been asked to change their PINs and check their accounts for any unauthorized transactions. One of the high-ranking officials of the company said that hackers had used the credit card information of some of the customers to make unauthorized purchases, but this was in September, and not in the recent weeks.
Defending the company’s decision to keep the attack a secret, the official also said that the company had done so at the request of the government, but they had informed credit card companies that certain accounts may have been compromised.
In order to determine how the attack occurred, the company turned off all 7,000 keypads in its several hundred stores and had them shipped to a site where they were examined. It was then determined that only one keypad in each of the 63 stores had been hacked. The company also assured that purchases at its college bookstores and on BarnesandNoble.com, Nook, Nook mobile apps and its member databases were not affected by the hacking.
While in most states including California companies are required to notify customers of a breach if their names are compromised in combination with other information such as credit card, SSN, etc., Barnes & Noble is yet to notify its customers about the attack. However, encrypted information is exempted from this rule, and hence companies that wrap customer data in basic encryption do not have to tell customers about the breach.
While some computer security experts say that such an attack entails a multilayered assault, there are others who believe that an insider could have inserted a malicious code, or criminals could have persuaded an unsuspecting employee to click on a malicious link that installed malware, giving hackers a foothold into the point-of-sale systems at Barnes & Noble.
Whichever the case, it is quite evident from such attacks that companies which presume that they have well-protected their customers’ data, are grossly mistaken. They should take steps to ensure complete security, and adopt a solution like SecureGRC that can enable this.