Barnes & Noble gets sued over PIN “skimming” scam
On October 27, 2012, plaintiff Elizabeth Nowak filed a putative class action against Barnes & Noble (“B&N”) arising out of the PIN pad tampering incident reported by the company as of October 23, 2012 (see press release of October 24, 2012:
www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html ).
In its press release, Barnes & Noble advised that it detected tampering with PIN pad devices used in 63 of its stores. The tampering was limited to one compromised PIN pad in each of the affected stores. The B&N statement says that criminals planted bugs in tampered PIN pad devices and that it disconnected all PIN pads from its stores, nationwide, by close of business September 14, 2012. The press release further advised that the company notified federal law enforcement authorities and it was “supporting” the investigation.
In the complaint, filed in the USDC for the Northern District of Illinois, plaintiff alleges that B&N’s security failures enabled skimmers to steal financial data within B&N stores, allowing for unauthorized purchases and putting the class members’ financial information at serious and ongoing risk ( skimmers – a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money, see http://krebsonsecurity.com/all-about-skimmers/). Plaintiff alleges that B&N failed to disclose the extent of the breach and failed to individually notify each affected customer. Plaintiff asserts claims for breach of implied contract and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.
The individual plaintiff, Nowak, states that she shopped at a B&N store in Illinois prior to September 14, 2012 and that at on at least one of these occasions, she swiped her debit card through one of the store’s PIN pad terminals. While plaintiff alleges that B&N customers are subect to continuing damage from having their personal information compromised, the allegations do not contain any specific reference to plaintiff’s alleged loss or injury from identity theft, credit card fraud, or other specific costs related to card reissuance or credit monitoring. Plaintiff alleges that B&N failed to directly notify individual customers and that B&N was aware of the problem for six weeks before making a public announcement about the scam. Plaintiff further alleges that B&N failed to post signs in each of its affected stores to notify returning customers that their financial information may have been compromised (plaintiff does not allege a specific violation of any breach notification statute, although the Illinois statute does allow for substitute notice if the cost of providing notice would exceed $250,000 or the affected class exceeds 500,000 – substitute notice would not have included posting signs in the stores to notify returning customers that their financial information may have been compromised; substitute notice would only be through email, conspicuous posting on the entity’s website or notification to statewide media).
The Connecticut AG is interested:
http://www.ct.gov/ag/cwp/view.asp?Q=512804&A=2341
See copy of lawsuit at:
cyberpeg'd 