Barnes & Noble disclosed in October 2012 that criminals had tampered with at least one PIN pad terminal at each of 63 of its retail bookstore locations across nine states (California, Connecticut, Florida, Illinois, New Jersey, New York, Pennsylvania, Rhode Island, and Virginia). The tampering occurred over the summer of 2012, likely beginning around June. The compromised PIN pads captured full magnetic stripe data and customer PINs as cards were swiped at checkout. Barnes & Noble discovered the tampering in September 2012 and immediately disconnected all PIN pad devices at its nearly 700 US stores while it conducted a forensic sweep. However, the company delayed public disclosure until October 24 at the request of the FBI, which was investigating the criminal operation. Barnes & Noble notified customers and worked with card issuers to identify and reissue compromised cards. The attack required physical access to store checkout areas, suggesting either inside knowledge or the ability to access checkout terminals during store hours or after-hours. The case highlighted risks of physical tampering with payment terminals as a complement to purely cyber-based card theft methods — attackers were apparently able to modify or swap devices without detection by store staff. Multiple class-action lawsuits were filed against Barnes & Noble alleging inadequate physical security of payment terminals.