Data suggests the attackers were compromising cards for more than six months Staples, one of the nation’s largest office supply retailers, said in a statement on Friday that at least 1.16 million credit and debit cards were impacted after POS malware infected systems at 115 stores nationwide.The public first learned of the Staples breach in October, after sources in the banking industry told investigative journalist Brian Krebs about an uptick in debit and credit card fraud, with Staples being the common link.In a statement at the time, Staples wouldn’t confirm the breach, but said they were investigating the possibility of one.Those early reports centered on fraudulent activity in the Northeastern U.S., but according to Staples, “the investigation found no malware or suspicious activity related to the payment systems at those stores.” As for the source of the attack, Staples said in their statement that criminals were able to install malware on their POS network.“Based on its investigation, Staples believes that malware may have allowed access to some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes. At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014. At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”According to the company’s timeline, the earliest detected infection was in April of this year. Most, if not all of the infections were cleaned-up by September 30, meaning that the attackers had at least 182 days on the network. Per store, the minimum breach time was 37 days, with a maximum of 181 days.Staples has offered customers who used their cards at the affected stores free identity theft protection services, including credit monitoring, identity theft insurance, and a free credit report. Registration for said services can be accessed here.Earlier this year, the United States Secret Service, working with Trustwave, warned more than 600 businesses about attacks using POS malware. The breaches at Home Depot, Target, Dairy Queen, and Kmart have since all been linked to POS malware variants, including Backoff, BlackPOS, vSkimmer, or TriForce. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe