Barnes and Nobles on Tuesday announced that it had suffered a data breach in stores in California, Florida, New York, New Jersey, Rhode Island, Connecticut, Massachusetts, Illinois and Pennsylvania.  The data breach was traced back to PIN pad devices used by customers at the cash registers to pay for their purchases through the use of either debit cards or credit cards.  Even if you have not shopped in a Barnes and Noble store recently, the lessons to be learned from this hacking are important.  Although the case is still being investigated, it appears that one PIN pad device in each of the affected stores was tampered with such that the hackers were able to retrieve the information and use it for identity theft purposes.  The tampering could have been done by identity thieves either with the assistance of a rogue employee or by hackers who managed to get unwary employees to click on a link that installed malware.


If you used a debit card at a Barnes and Noble store within the last few months, you should change your PIN and carefully monitor your account.  If you used a credit card, you should also monitor your monthly credit card statements to make sure that there are no unauthorized charges.  Debit cards are a particularly dangerous way to shop because unlike credit cards, the law does not limit your liability to $50 of unauthorized charges.  In fact, if you fail to report the breach of your security for a debit card for more than 60 days after the breach, you could potentially lose all of the money in your checking account without recourse.  And even if you do promptly report a breach of your debit card security promptly, your account may be frozen while the situation is investigated by your bank.  A good piece of advice to anyone using a credit card or debit card to make store purchases is to have the clerk swipe the card thorugh the register.  As with the Barnes and Noble data breach, increasingly identity thieves are accessing the PIN pad devices to get your information.  Having your card swiped directly through the register is somewhat safer.