Barnes & Noble, the country’s largest bookseller, said data thieves hacked into payment devices and may have stolen customer credit and debit card information at 63 of its stores nationwide.
Hackers planted bugs in a single card reader at each of the stores, the company said. Customers swipe their payment cards through the machines and, if using a debit card, enter their personal identification number.
Those PINs may be at risk, with other account information, potentially giving thieves access to customers’ private accounts.
Barnes & Noble said it has completed an internal investigation into the “sophisticated criminal effort” and that federal authorities were looking into the crime.
“There is absolutely no indication that any Barnes & Noble employee was involved in this,” said spokeswoman Mary Ellen Keating. The company said it also is collaborating with banks, payment card brands and issuers to identify which customer accounts were attacked.
The company’s shares fell 11 cents, or 0.7%, to $15.21. They had fallen as much as 3% during regular trading Wednesday.
Though data breaches of retailer websites are well known, experts said the Barnes & Noble attack was unusual in that it happened in stores, not online.
Among the online breaches this year, 1.5 million passwords were stolen when online dating site eHarmony was hacked, not long after a similar attack on social network LinkedIn claimed 6.5 million passwords.
Last year, a breach exposed personal information and possibly credit card data of 77 million customers using Sony Corp.’s online PlayStation network. Analysts predicted the attack could cost Sony some $50 million in lost revenue, customer reimbursements and security defense.
Besides the damage to its reputation, Barnes & Noble will probably face lawsuits from customers.