Staples says 1.16M cards affected during data breach

Data suggests the attackers were compromising cards for more than six months

staples store
Credit: Anthony92931

Staples, one of the nation's largest office supply retailers, said in a statement on Friday that at least 1.16 million credit and debit cards were impacted after POS malware infected systems at 115 stores nationwide.

The public first learned of the Staples breach in October, after sources in the banking industry told investigative journalist Brian Krebs about an uptick in debit and credit card fraud, with Staples being the common link.

In a statement at the time, Staples wouldn't confirm the breach, but said they were investigating the possibility of one.

Those early reports centered on fraudulent activity in the Northeastern U.S., but according to Staples, "the investigation found no malware or suspicious activity related to the payment systems at those stores."

As for the source of the attack, Staples said in their statement that criminals were able to install malware on their POS network.

"Based on its investigation, Staples believes that malware may have allowed access to some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes. At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014. At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014."

According to the company's timeline, the earliest detected infection was in April of this year.

Most, if not all of the infections were cleaned-up by September 30, meaning that the attackers had at least 182 days on the network. Per store, the minimum breach time was 37 days, with a maximum of 181 days.

Staples has offered customers who used their cards at the affected stores free identity theft protection services, including credit monitoring, identity theft insurance, and a free credit report. Registration for said services can be accessed here.

Earlier this year, the United States Secret Service, working with Trustwave, warned more than 600 businesses about attacks using POS malware. The breaches at Home Depot, Target, Dairy Queen, and Kmart have since all been linked to POS malware variants, including Backoff, BlackPOS, vSkimmer, or TriForce.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.