Barnes & Noble Inc. said Tuesday that devices used by customers to swipe credit and debit cards have been tampered with in 63 of its stores in nine states.
The company warned customers to check for unauthorized transactions and to change their personal identification numbers, or PINs. It didn't say how many accounts may have been compromised.
But The New York Times, citing a high-ranking company official it did not name, reported that hackers had made unauthorized purchases on some customer credit cards.
The New York-based bookseller said in a statement only one of the devices, known as PIN pads, was tampered with in each of the 63 stores. The stores are in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. A list released by Barnes & Noble includes the downtown San Luis Obispo location as among the affected stores.
All the PIN pads in its nearly 700 stores nationwide were disconnected on Sept. 14 after the company learned of the tampering. Federal authorities are helping in its investigation.
Barnes & Noble said it is working with banks and card issuers to identify compromised accounts so that additional fraud-protection measures can be taken.
Customers at its book stores will now have to ask cashiers to swipe credit or debit cards on card readers connected to cash registers, a process that is secure, Barnes & Noble said.
Anything bought on Barnes & Noble.com or with the chain's Nook devices and app were not affected, the company said. It also said its customer database is secure.
Barnes & Noble is only the latest major retailer to be a victim of a serious data breach. In one of the largest, more than 45 million credit and debit cards were exposed to possible fraud because of hackers who broke into the computer system of TJX Cos., the parent company of retailers T.J. Maxx and Marshall's, starting in 2005.