WASHINGTON – Hackers have stolen credit card information for customers who shopped as recently as last month at 63 Barnes & Noble stores across the country, including stores in New York City, San Diego, Miami and Chicago, according to people briefed on the investigation.
The company discovered around Sept. 14 that the information had been stolen but kept the matter quiet at the Justice Department’s request so the F.B.I. could determine who was behind the attacks, according to these people.
The information was stolen by hackers who broke into the keypads in front of registers where customers swipe their credit cards and enter their personal identification numbers, or PINs.
In response to questions about the attack, the company acknowledged the security breach, saying that as a precaution customers who used their cards at any of the 63 Barnes & Noble where information was stolen should change their PINs and scan their accounts for unauthorized transactions.
A high-ranking official for the company said that hackers had used information from some customers’ credit cards to make unauthorized purchases, but that activity had mainly occurred in September and had declined in recent weeks.
The official defended the company’s decision not to tell its customers about the attack, saying that the company had informed credit card companies that certain accounts might have been compromised.
“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied,” said the official, who asked not to be identified because the investigation was continuing.
The company has received two letters from the United States attorney’s office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation, according to the official. At least one of the letters said that the company could wait until Dec. 24 to tell the customers.
As the company tried to determine how the attack occurred, it turned off all 7,000 keypads in its several hundred stores and had them shipped to a site where the company could examine them.
The company determined that only one keypad in each of the 63 stores had been hacked. Nevertheless, the company has not reinstalled the devices.
“Right now, we have no PIN pads in any stores and we are O.K. with that,” the company official said.
Customers who want to use credit and debit cards now have to ask cashiers to swipe their cards on the readers connected to the registers.
The company said that purchases at its college bookstores and on BarnesandNoble.com, Nook, Nook mobile apps and its member database were not affected by the hacking. It did not say, however, whether it would now be telling individual customers that their information had been stolen.
While specifics differ, most states, including California, require that companies notify customers of a breach if their names are compromised in combination with other information such as a credit card, a Social Security number or a driver’s license number.
But states make an exception for encrypted information. As long as companies wrap consumer information in basic encryption, laws do not require them to tell customers about a breach.
“If you had a breach that included name plus credit card information, but the credit card information was encrypted, you would not have to provide notice,” said Miriam H. Wugmeister, a lawyer with Morrison & Foerster.
Computer security experts say such an attack entails a multilayered assault.
“This is no small undertaking,” said Edward Schwartz, the chief security officer at RSA, a security company. “An attack of this type involves many different phases of reconnaissance and multiple levels of exploitation.”
Barnes & Noble did not offer more information on how its network was penetrated. Security experts said a company insider could have inserted malicious code, or criminals could have persuaded an unsuspecting employee to click on a malicious link that installed malware, giving the perpetrators a foothold into Barnes & Noble’s point-of-sale systems.
“Attacks on point-of-sale systems are growing exponentially,” said Tom Kellermann, a vice president at the security company Trend Micro. Mr. Kellermann said this was, in large part, because encryption no longer provided a deterrent for skilled hackers.