As the New York Times reports, Barnes & Noble disclosed this week that it learned over one month ago – on September 14 – that hackers broke into point of sale PIN pad devices at 63 Barnes & Noble stores around the country and stole credit and debit card information for customers who had made purchases at those stores. The bookseller notified credit card companies that affected accounts might be compromised, but did not notify customers or publicly acknowledge the breach until today. The reason for the delay? According to the Times, Barnes & Noble agreed not to publicize the breach at the request of federal investigators, who were concerned that publicity would hamper investigation of the breach. The company stated that it received two letters from the U.S. Attorney’s Office for the Southern District of New York indicating that disclosure of the breach would not be required, and Barnes & Noble proceeded accordingly.
The security breach affected stores in New York, Pennsylvania, California, New Jersey, Connecticut, Florida, Rhode Island, Illinois, Massachusetts and Rhode Island. According to the company, the hack did not affect the customer database and purchases made at barnesandnoble.com, on the company's NOOK tablet reader devices, or through NOOK mobile apps were not affected.
The breach resulted from a sophisticated effort to capture customer data at the point of sale. According to a press release issued by Barnes & Noble, the hackers placed bugs on the point of sale PIN pad devices that customers use to swipe their own credit and debit cards for purchases at the stores. The bugs allowed the hackers to record users’ card number and PIN information. Use of the PIN pads was discontinued at all Barnes & Noble stores when it learned of the breach on September 14. The press release identifies the stores from which data was stolen but does not say how the breach was discovered.
If this method of obtaining cardholder information sounds familiar, it is because you have been paying attention. The Barnes & Noble hack is eerily similar to one last year at Michaels, the craft store chain, a breach at discount grocer Aldi in 2010, and even back to a 2007 breach at Stop & Shop stores.
Regular visitors to this blog will be familiar with our consistent guidance that prompt customer notification, which is mandated by the laws of many states, is ordinarily the best course of action after a data breach has been discovered. In this case, however, it appears that it was reasonable for Barnes & Noble to comply with the investigators’ request to delay notice to customers. In particular, prompt notice of the breach to card issuers would have minimized the risk that the hackers could misuse the credit card and debit card information. According to the New York Times, “[a] high-ranking official for the company said that hackers had used information from some customers’ credit cards to make unauthorized purchases, but that activity had mainly occurred in September and had declined in recent weeks.” However, it is also common for law enforcement to specifically request that companies refrain from providing notice -- particularly when the only reasonable form of notice is by public press release -- in order to avoid tipping off fraudsters engaging in the skimming caper.
Ultimately, the determination of whether an ongoing investigation justifies non-disclosure of a data breach will depend on the specific facts and circumstances of that breach and should be made in consultation with counsel knowledgeable about applicable privacy laws and regulations. Remember, if you rely on a "law enforcement exception" to delay notification of a breach, you'd best have solid backup for the claim --- and documentation of such is required under some state laws.