Barnes & Noble is Now Informing Customers About Data Stolen During Saturday’s Hack

So it turns out that my suspicions about B&N’s server issues over the weekend were in fact correct.  The retailer was hacked, and has confirmed that customer information, including email addresses and shipping info, was stolen.

Barnes & Noble sent out an email Wednesday night, informing customers about the hack, and denying that any credit card or financial info was compromised. (I have a couple reports from readers that suggest this is not true, so I am remaining skeptical at the moment.)

I have not received this email, but several readers have. I have included a copy at the end of this post. If you are a regular B&N customer, I strongly urge you to ask your credit card company place security checks on your cards just in case.

On a related note, B&N is still getting their systems back up and running again. In fact, the Nook servers are still down as of late Wednesday night.

Dear Barnes & Noble Customer,

It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.

We write now out of the greatest caution to let you know how this may have exposed some of the information we hold of your personal details.

Firstly, to reassure you, there has been no compromise of payment card or other such financial data. These are encrypted and tokenized and not accessible. The systems impacted, however, did contain your email address and, if supplied by you, your billing and shipping address and telephone number. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility. We give below answers to some frequently asked questions.

We take the security of our IT systems extremely seriously and regret sincerely that this incident has occurred. We know also that it is concerning and inconvenient to receive notices such as this. We greatly appreciate your understanding and thank you for being a Barnes & Noble customer.

Barnes & Noble
FAQ

1. Have my payment details been exposed?
No, your payment details have not been exposed. Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system.

2. Could a transaction be made without my authorization?
No, no financial information was accessible. It is always encrypted and tokenized.

3. Was my email compromised?
No. Your email was not compromised as a result of this attack. However, it is possible that your email address was exposed and, as a result, you may receive unsolicited emails.

4. Was any personal information exposed due to the attack?
While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these.

5. Do you retain any other information in the impacted systems?
Yes, we also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.

image by MikeKalasnik via Flickr 

Nate Hoffelder

View posts by Nate Hoffelder
Nate Hoffelder is the founder and editor of The Digital Reader. He has been blogging about indie authors since 2010 while learning new tech skills weekly. He fixes author sites, and shares what he learns on The Digital Reader's blog. In his spare time, he fosters dogs for A Forever Home, a local rescue group.

22 Comments

  1. […] Second Update: Yep, they were hacked. […]

    Reply
    1. Susan16 October, 2020

      My credit card was charged late last night. The book I wanted to download was not the same $$ amount. BN site still not accessible, yet charge was made? Closed my card. Closed my account on BN. Probably to late.

      Reply
  2. Disgusting Dude15 October, 2020

    The attack appears to be a ransomware attack according to an IT news site mentioned at Mobileread:

    https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-cyberattack-that-exposed-customer-data/

    The attack came via a vulnerability known (and patched) since April 2019.

    Suddenly, every tech site is discovering the attack, five days late.

    Reply
  3. Steve15 October, 2020

    I continue to think that more information was exposed than B&N is currently admitting. I’ve had the card linked to my B&N account compromised, and I’ve seen comments on several sites saying others have had the same issue. Just as B&N’s story about what happened ‘evolved’ over time, I have a strong feeling that their admission of what data was stolen will as well.

    They’ve handled this in the worst possible way. Rather than coming clean and saying upfront what the extent of the problem has been, they’ve only admitted – piece by piece – the truth as others have come forward or they’ve been relentlessly pressed to do so. As someone who has been with NOOK since its debut, and is now seriously considering a move to Kindle, I also have a feeling that this will cost them dearly in terms of customer loyalty and future purchases. It seems B&N’s new owners are just as inept, or maybe even more so, at running the company than their predecessors.

    Reply
  4. Gloria Grahame15 October, 2020

    When I worked at BN, we were told that the company did not keep transaction histories of customers’ purchases or payment transactions. I always thought they were less than truthful.

    Reply
    1. Disgusting Dude15 October, 2020

      If they were talking B&M pbook sales it was probably true.
      If they were talking B&N.com it was a missed opportunity and bad business practice.
      If they were talking Nook they were misinformed or lying.
      Digital sales *requires* keeping transaction histories.

      Reply
  5. Diane M. Weston15 October, 2020

    This is not the only time they have been hacked. They were the victim of drive by hackers who stole all sorts credit card data by aiming a device at a store and downloading the data into a computer. I remember that, as my data was stolen. It happened while I worked there years ago, and it took them over 6 months to tell those affected, even though we received an internal notice much sooner. As much as I loved the Riggios, I think the actions of this new owner, who is a financial services guy, in this instance, is a great improvement.

    Reply
  6. Ismael Gonzalez15 October, 2020

    I’ve been a nook user since the very first one even while watching the technology flip flops that this company has made. I’m now reading my new ebook, purchased from another vendor, using the kindle app installed on my nook.

    B&N CEO, COO, & CTO should all be on the hot seat! The organizational incompetence displayed by B&N during this incident has been staggering. Communications to the user community almost nonexistent. Mr. Daunt, is this how you plan to turn the company around??

    Reply
  7. Reader15 October, 2020

    Since my last B&N credit card purchase, my credit card number has changed, so I am not particularly disturbed.

    Reply
  8. Avid Reader15 October, 2020

    “Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system.”

    While this may be true, with this level of incompetence and lack of transparency how can B&N be trusted not to have had encryption keys or plain text passwords lying around on their compromised systems?

    This really could be the death knell for B&N. All my eReaders are Nooks as I like their form factor and physical buttons. I won’t go over to the Dark Side with a Kindle, so my next eReader will likely be a Kobo. Lost all trust in B&N.

    Reply
    1. Chuck Dee15 October, 2020

      There’s a certain assumption at calling this incompetence. The enemy is determined and canny- all it takes is a single slip (and not necessarily by IT) for any system to be in the same place. I’d say that they would rather overemphasize if they had any inkling of other sensitive data being exposed rather than de-emphasizing the same- especially with the penalties being handed down to large companies for such oversights.

      Reply
      1. Disgusting Dude15 October, 2020

        The vulnerability exploited was reported and patched bzck in April 2019.
        But B&N hadn’t installed the patch.
        What other word applies?

        Reply
        1. Chuck Dee15 October, 2020

          How do you know what vulnerability was exploited? I haven’t seen that reported anywhere.

          Reply
          1. Disgusting Dude15 October, 2020

            First post above says who found B&N data being offered on the darkweb. A security company had previously warned B&N of their unpatched VPN servers.

            As in:

            “Finally, cybersecurity intelligence firm Bad Packets told BleepingComputer that Barnes & Noble perviously had multiple Pulse VPN servers that were vulnerable to the CVE-2019-11510 vulnerability.

            This vulnerability is popular among ransomware threat actors as it allows them to gain access to user credentials stored on the VPN device.

            A recent leak of Pulse VPN credentials gathered using this vulnerability contained accounts belonging to Barnes & Noble. ”

            The credentials leaked to the darknet was exactly the kind of data exposed by that vulnerability. And exactly the kind needed to carry out that attack.

            1- They had exposed servers. (That should have been patched long ago.)
            2- The unpatched vulnerability exposed a certain kind of data.
            3- That very data was found online.
            4- It is also the kind of data that enables the hacking.
            5- They got hacked.

            Number one led to number five.
            Circumstantial but compelling.

            People whose job is finding and blocking attacks rendered their judgment and found it preventable.

            Reply
      2. Avid Reader15 October, 2020

        Ok, so incompetence is a bit strong, but there certainly has been lack of transparency and communication to customers. That leads to mistrust that anything being said is then entire story.

        Reply
        1. Disgusting Dude15 October, 2020

          That too.

          Reply
          1. Chuck Dee15 October, 2020

            I didn’t see that link- thanks for directing me to it. It also mentions that it is speculation based on the profile of the attack, and the instance which you speak of was earlier- and hopefully the same people are not running the shop. But I suppose we’ll see in the coming months if information starts to show up on the Dark Web. But as I said, the penalties for non-disclosure that the financial information of customers left the building at this point would have their risk assessors screaming at them to do so.

            Reply
  9. DLindsay15 October, 2020

    I purchased an ebook Wednesday. I had not recieved anything to inform me of the issue. I’ve not been able access what I downloaded but they charged my card. This is NOT a pretry picture of a competent company!

    Reply
  10. Sue16 October, 2020

    I agree with a previous article that pointed a finger at Amazon. I am suddenly getting a ton of spam about their EBS or early bird specials for Prime Week about eBooks. I have bought 4 paperbacks from Amazon in the last 5 years because B & N did not carry them and after unsubscribing from everything from Amazon this is the first I have heard from them other than to confirm my last purchase. One of these ads even said that the authors in that special were not currently available at Nook but the site for the author would lead to where you could buy it..Amazon. I smell a rat.

    Reply
  11. […] If you’ve bought any books recently from Barnes & Noble, your information my have been compromised. […]

    Reply
  12. […] If you’ve bought any books recently from Barnes & Noble, your information my have been compromised. […]

    Reply
  13. […] the email to users, as published by The Digital Reader, the company said that while payment data was not accessed, data such as email addresses, billing […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top