.hack//Barnes and Noble

Barnes & Noble kicked off the Columbus Day aka Indigenous People’s Day weekend with a rare one-day coupon, and their Black Friday Chapter 1 sale started just after Amazon’s Prime Day blitz.

If you didn’t hear that much about either of these, well, maybe it’s because some other Barnes & Noble news stole the spotlight — and not in a good way.

The Trouble Starts

On Saturday, October 10th, Nook owners and app users went to go find their next read, but users started reporting they couldn’t access their eBooks in the cloud or purchase new ones. Trying to read and download would be blocked by error messages, and trying to access eBooks online wasn’t working either:

The website Good E-Reader contacted Barnes & Noble, and they were told the systems were down for maintenance, a fact that would frustrate users as a planned server update was never disclosed in advance or even at the time it started.

The downtime continued, and on Monday, Barnes & Noble had listed this as a “service alert” on the Nook support page.

Barnes & Noble Nook alert
Cached image from Google

On Tuesday, October 13th, they sent out apology emails to Nook owners, saying they had to “restore our server backups” and customers would receive some sort of Barnes & Noble credit as compensation for the downtime.

That was also the first time Barnes & Noble had posted any notice about Nook problems on their social media pages.

It was followed up the next day with another apology.

Troubles Grow and Finally Get Resolved

That was only part of the story, however: Barnes & Noble stores were also having problems the same weekend. As Reddit user AlreadyAligned explained, “Bookmaster can only search by isbn. No orders can be made. Receiving is a mess. Registers only half work. Sales aren’t ringing correctly. PDTs were on the fritz.” (Bookmaster is their database system; PDTs are the devices employees carry around to scan barcodes.) User carminecities also shared their frustration at work: “our pdts keep dropping in and out, bookmaster is barely functioning, and only one of our front registers is working. absolute chaos”

While all that caused a lot of misery for workers and shoppers, most store and online systems were back online by Wednesday, and Nook systems were mostly or all functional by the weekend. Customers are required to reset their password the next time they try to log into BN.com, and the Nook Twitter account advised users to logout and login and/or deregister and reregister their account to get Nook to work.

Not Just Mere Maintenance

However, days earlier, more information began trickling in that this wasn’t ordinary maintenance gone wrong. On Sunday, October 11th, Good E-Reader updated their original article, reporting that Barnes & Noble workers were saying it was a virus. The Register also gathered more information from Barnes & Noble and made their own analysis: “The company told The Register it has ‘a network issue and are in the process of restoring our server backups,’ which sounds like a ransomware attack.”

In their same Reddit post quoted earlier, AlreadyAligned shared what they were told on Sunday:

 “Apparently a legit Virus/Trojan (I’m not developer savvy with the lingo) got in to the network at corporate and filtered out to effect stores, nooks, everything. The registers when booted down come back up with some kind of message that is apparently horrific enough my boss wouldn’t repeat it to me and was instructed not to. (Would love someone to leak what it said.) But if anything is shut down… When it boots back up its infected with the virus.”

All of this would align with the fact that Barnes & Noble admitted on the 14th they were having to restore from backups. The hack was confirmed late Wednesday, early Thursday morning when this email was sent to Barnes & Noble customers like me:

Barnes & Noble Hack e-mail notification

While names, emails, addresses, and phone numbers were likely leaked, Barnes & Noble stated that customers’ financial information was protected and inaccessible. At least two commenters on the Good E-Reader article stated that the credit card they have saved to their Barnes & Noble account had recent unauthorized charges and required them to be cancelled. While it’s possible that’s connected, it could also be from scammers guessing passwords or whatever versus directly accessing credit card information.

Analysts suggested to Threatpost and BleepingComputer that the breach could have occurred through Pulse Secure VPN. Info gained from an exploit in this system has been shared online, and BleepingComputer shared an image showing accounts tied to Barnes & Noble and added, “Unfortunately, if they did suffer a ransomware attack, it is likely that much more data was exposed than Barnes & Noble is disclosing.”

Barnes & Noble data
From Bleeping Computer

The Pulse Security VPN vulnerability (called CVE-2019-11510) was patched in April 2019, and Bad Packets tracked all the targeting of this exploit from August 2019 to April 2020. Also in April 2020, the US’ Department of Homeland Security urged users to update their systems if they hadn’t already. Screenshots from ZDNet about this CVE-2019-11510 showed that the info was likely obtained in June and July 2020, so it’s possible while the ransomeware takedown of Barnes & Noble only happened in October, information was being accessed for months.

Repercussions

Unfortunately, hacks are an eternal and legitimate threat when interacting or shopping online. Heck, even shopping in-store with a card can lead to your financial information being exposed, which happened in select Barnes & Noble stores in 2012. For customers, it’s a headache to deal with — checking every charge on your bill to make sure nothing is amiss, credit card companies on high alert and having to call you before a legitimate purchase can go through, and canceling cards and having to wait for a new one — and updating any accounts that may be tied to that card. Not to mention that, even though what books people buy seems innocuous, any data is valuable. In the wrong hands, especially when connected to names and addresses, it can lead to even deeper analytics and schemes from troll farm targeting to blackmail.

The analyst who spoke to Threatpost praised Barnes & Noble for not sitting on this information for too long, but Nook users probably don’t fully share that sentiment. If workers were already reporting on Sunday that this was a data breach, that was still three or four full days where their customers were left in the dark — or at least had to go digging to find any notice of an incident. Of course Barnes & Noble doesn’t want this information plastered all over the web, but to not even have a notice on Facebook and Twitter by Monday that Nook (let alone other stores and systems) were having problems? Frustrating for customers.

Again, part of any (real or perceived) foot-dragging probably has to do with the season. The holiday shopping months are right around the corner, if not already starting. People are going to be very hesitant about buying Nook devices this Hanukkah/Christmas/Kwanzaa knowing that just a couple of months ago, the whole system was inaccessible for about a week.

Not to mention that most companies who have suffered data breaches (like Target and GameStop) have suffered financial hits due to compensating customers. Even if payment information remained secure, Barnes & Noble could still be open to fines and penalties if customers’ data was leaked. Plus, after cyberattacks, there tends to be a downturn in business as worried and angried customers turn to stores’ rivals. If even a small fraction of customers deceived to instead go to Amazon or Walmart instead of Barnes & Noble, that would still be significant for this struggling chain — especially in the middle of this pandemic. As I discussed a bit a few weeks ago, shoppers have indicated they’re planning on cutting back their holiday shopping, especially at malls, where a lot of Barnes & Noble stores are located.

Perhaps though Barnes & Noble has enough of a loyal fanbase to overcome these issues — or that in this election-heavy news cycle, the incident will escape a lot of scrutiny. That’s dangerous for consumers, of course, just in case people aren’t checking their credit card bills for unauthorized charges. Either way, this is a sober reminder that both companies and consumers need to set up safeguards. But with Nook adaptation far behind Amazon’s Kindle, this is not going to help. Still, there’s just so much unknown at this time, and if Barnes & Noble is trying to trickle out the truth to avoid outrage, well, it’s likely only going to get worse for them.

My shopping at Barnes & Noble has already been practically reduced to zero even before the store closures because of their lack of sales, coupons, and discounts. Even though this sort of thing can happen anywhere, I admit being a little leery about going back. While the cards I had saved were close to expiration or already expired (depending on when hackers first accessed the data), it’s still scary and frustrating, as I’ve gotten my card number stolen before.

So I’m sure I’m joining everyone else in crossing my fingers that we don’t find out the situation was even worse than we know. So while Barnes & Noble kicked off October 10th with the first coupon I’ve seen in a long time, I wouldn’t be surprised if these start becoming a little more common as they try to win back customers’ trust. Whether it will work or not will likely depend on how massive this cyberattack really was.

Did you try to access your Nook books or make a purchase at Barnes & Noble during the troubles? Are you worried about any sensitive information being exposed because of the hack? Will this affect how much you shop at Barnes & Noble in the near future?