A U.S. federal appeals court has ruled that victims of a payment card data breach at Barnes & Noble can seek damages against the national bookseller.
According to Reuters, the decision came on 11 April when the 7th U.S. Circuit Court of Appeals in Chicago said that Heather Dieffenbach of California and Susan Winstead of Illinois deserve to sue for damages from Barnes & Noble.
The appeals court thereby revived a lawsuit filed by Dieffenbach and Winstead following a 2012 data breach that affected the retailer.
On 14 September 2012, Barnes & Noble discovered that black-hat hackers had stolen customers’ payment card information at 63 of its locations across the United States. It learned the criminals succeeded in their data theft by tampering with the keypads in front of the registers that customers use to swipe their payment cards and enter in their cards’ personal identification numbers (PINS). With those details, the bad actors made unauthorized purchases to customers’ payment card accounts.
An unnamed official at the bookseller said the company stayed mum about the incident for some time because the U.S. Justice Department had requested it do so while it looked into identifying those responsible for the breach. As quoted by The New York Times:
We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied.
Dieffenbach and Winstead, two affected customers of the breach, responded by filing a lawsuit in which they alleged the security incident had damaged the value of their personally identifiable information and caused them emotional distress. But as reported by Bloomberg BNA, Judge Andrea Wood of the U.S. District Court for the Northern District of Illinois rejected the lawsuit on the grounds that the plaintiffs’ alleged injuries weren’t sufficient to justify legal action.
The decision of the 7th U.S. Circuit Court of Appeals in Chicago to overturn Judge Wood’s ruling means that Dieffenbach and Winstead can potentially seek damages for purchasing credit monitoring services and spending time reversing unauthorized transactions to their payment card accounts.
Their case will head back to Judge Wood.
While this lawsuit moves forward, retailers should use this story to protect their point-of-sale (POS) systems against not only malware like PinkKite but also data thieves seeking to tamper with their terminals’ keypads. They can learn more about how to protect their POS systems by downloading this resource.