Retailer Barnes & Noble said customers who shopped at any of its 63 stores in the U.S. as recently as September may have had their credit card information stolen, and that federal law enforcement authorities have been informed of the breach.
All PIN pads at its U.S. stores were disconnected by the close of business Sept 14. due to signs of tampering, the company said in a statement.
Stores in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island were affected, Barnes & Noble said.
The company advised those who have swiped their cards at stores in the affected states to change their debit-card PIN numbers as a precaution, and to review their statements for unauthorized transactions.
Still, the company said its customer database was secure, and that purchases made on the Barnes & Noble website, Nook e-reader and Nook mobile apps were not affected.
Barnes & Noble said it has been assisting federal authorities with investigations into the matter.
Separately, a spokesman for the Federal Bureau of Investigation (FBI) told Reuters the agency's New York field division was investigating the breach at Barnes & Noble.
The spokesman confirmed a New York Times report that said the company received two letters from the U.S. attorney's office for the Southern District of New York that said it did not have to report the attacks to its customers during the investigation.
At least one of the letters said the company could wait until December 24 to inform customers.
(Reporting by Phil Wahba, Basil Katz and Sakthi Prasad; Editing by Bernadette Baum)