Staples: 1.2 Million Cards BreachedMalware Attack Affected Small Percentage of Stores
Office supply retailer Staples says nearly 1.2 million payment cards were compromised in a malware attack against point-of-sale systems that was confirmed back in mid-November (see: Staples Confirms POS Malware Attack).
The retailer first acknowledged in October that it was investigating a suspected breach after reports surfaced that elevated levels of fraud had been traced to about a dozen of its stores in the Northeastern United States (see Staples Launches Breach Investigation).
But in a Dec. 19 statement, the company says an investigation determined that malware affected systems at 115 of its more than 1,400 U.S. retail stores.
Staples says it eradicated the malware from its systems and has taken steps to further enhance its security. The retailer also says it has retained outside data security experts to investigate the incident and has worked closely with payment card companies and law enforcement.
Compromised information includes cardholder names, payment card numbers, expiration dates and card verification codes. For 113 of the affected stores, the malware may have accessed the data from Aug. 10 through Sept. 16. For the remaining two stores, the time period of potential compromise was July 20 to Sept. 16.
As a result of the breach, Staples is offering free identity protection services, including credit monitoring, identity theft insurance and a free credit report, to customers who may have been affected.
A list of specific stores and dates of potential compromise can be found here.
During the investigation, Staples also received separate reports of fraudulent payment card use related to four stores in Manhattan, N.Y., at various times from April through September. The investigation found no malware or suspicious activity related to payment systems at those stores, Staples says, but out of an abundance of caution the retailer is offering free identity protection services to customers who used their payment cards at those stores during specific time periods.
"Staples is committed to protecting customer data and regrets any inconvenience caused by this incident," the company says. "Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools."