Barnes & Noble, the US bookseller, disclosed in October 2012 that PIN pad payment terminals at 63 retail stores across 9 states had been physically tampered with — skimming devices had been installed to capture both magnetic stripe data and PINs from payment cards. Barnes & Noble discovered the tampering in early September 2012 and immediately disabled all PIN pad devices at all 700 of its stores, reverting to swipe-only transactions. However, the company delayed public disclosure for approximately 6 weeks at the request of the FBI and Secret Service, who were conducting an ongoing investigation. Barnes & Noble disclosed the breach in late October 2012. The incident was notable for: (1) the scale of coordinated physical device tampering across 63 locations in 9 states; (2) the capture of PIN data enabling ATM cash withdrawals (not just card-present fraud); (3) the FBI-requested notification delay; and (4) Barnes & Noble’s proactive step of disabling all PIN pads nationwide despite only 63 confirmed compromised locations. The perpetrators were never publicly identified.