On September 3, 2013, the U.S. District Court for the Northern District of Illinois dismissed a class action complaint against Barnes & Noble seeking damages based on a data security incident, finding that the plaintiffs lacked standing to bring the claims. This decision reaffirms that retailers may be able to avoid damages for data breaches where the plaintiffs cannot allege or establish actual damages.
In October 2012, Barnes & Noble notified the public, through a press release and a notice on its website, that it had discovered hackers were stealing credit and debit card information from its PIN pad devices at 63 stores across the country. The hackers obtained the data by tampering with the PIN pad devices used to process transactions. Barnes & Noble made the announcement approximately six (6) weeks after it discovered the fraudulent activity. Barnes & Noble did not directly notify individual customers.