It was perhaps just a matter of time before the next household retail name came up in the data breach headlines. Staples has confirmed that it has been hacked with point-of-sale malware, which captured details on about 1.2 million payment cards.
The office-supply giant contacted law enforcement back in October about a potential incident, which has now been shown to have affected 115 stores nationwide. A list of affected locations can be found here.
The hackers were able to access “some transaction data at affected stores,” Staples said, including cardholder names, payment card numbers, expiration dates and card verification codes—everything needed to carry out online fraud. The malware was operational for just over a month at 113 stores, scraping info for purchases made from August 10 through September 16, 2014. At two stores, the malware was active from July 20 through September 16.
During the investigation Staples also received reports of fraudulent payment card use related to four stores in Manhattan, though no malware evidence was found. This was a longer period: the activity took place sporadically from April through September 2014. The investigation found no malware or suspicious activity related to the payment systems at those stores.
Staples is offering free identity protection services, including credit monitoring, identity theft insurance and a free credit report, to customers who used their payment cards at those stores during those specific time periods.
Typically, customers are not responsible for any fraudulent charges on their credit cards that are reported in a timely fashion. Those who shopped at the affected stores during the relevant time periods should review their account statements and notify their card issuers of any suspicious activity.
“Staples is committed to protecting customer data and regrets any inconvenience caused by this incident,” the company said. “Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools.”