Barnes & Noble suffers a cyberattack, customer data potentially exposed

Barnes & Noble has been hit by a cyber attack that potentially exposed customers’ data. With over 600 bookstores in 50 US states, Barnes & Noble is US’s largest bookseller.


Barnes & Noble

Users of Nook, Barnes & Noble’s e-reader, started experiencing issues on October 10, with numerous customer complaints about disappeared Nook libraries posted on Nook’s Facebook and Twitter accounts. On Monday October 12, Nook posted Twitter and Facebook statements about the issues users have been experiencing, and said a system failure was interrupting access to Nook content.

Nook Facebook post

“We have a serious network issue and are in the process of restoring our server backups,” Barnes & Noble said in a statement shared with Fast Company. “Our systems are back online in our stores and on, and we are investigating the cause. Please be assured that there is no compromise of customer payment details, which are encrypted and tokenized.”

In an email sent to customers on Wednesday, Barnes & Noble disclosed that they have actually been a victim of a cyber attack. The company became aware of the attack on October 10, and said the cyber attack resulted in “unauthorized and unlawful access to certain Barnes & Noble corporate systems”.

Malicious actors that accessed the bookselling giant’s systems were potentially able to access customer information. While Barnes & Noble was quick to reassure users that payment card or other financial information was not accessed because that data is encrypted and tokenized, the attackers likely were able to access customers’ email addresses, billing and shipping addresses, as well as telephone numbers. Though the company is not sure that this is definitely the case.

Barnes & Noble attack notification

The email sent to customers also includes a FAQ about the incident. In it, it’s mentioned that payment data was not accessed because customers’ credit cards are encrypted. They also mention that if attackers were able to access customer information, customers may receive unsolicited emails. There is a real possibility that if the information was accessed, it would be used to perform phishing attacks, or other scams on users. Thus, users should be on the lookout in the next foreseeable future.

The specifics of the cyber attack have not been revealed, though there have been speculations that ransomware is the culprit. In one of their statements, Barnes & Noble said that they had to restore server backups, which indicates that ransomware could be involved. If that is indeed the case, the ransomware may be threatening to publicly release data they stole if Barnes & Noble does not pay the ransom. More information will likely become clear in the near future.