Staples breach may have exposed more than 1 million cards

Framingham, Mass. – About 1.16 million customer payment cards may have been exposed in a security breach at Staples Inc. earlier this year. In an update on the breach situation, Staples said that criminals deployed malware to some POS systems at 115 of its more than 1,400 U.S. retail stores, providing access to data from purchases made from July 20 through Sept. 16, 2014.

Upon detection, Staples immediately took action to eradicate the malware in mid-September and to further enhance its security. Staples also retained outside data security experts to investigate the incident and has worked closely with payment card companies and law enforcement. Based on its investigation, Staples believes that malware may have allowed access to some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes.



At 113 stores, the malware may have allowed access to this data for purchases made from Aug. 10 through Sept. 16, 2014. At two stores, the malware may have allowed access to purchase data from July 20 through Sept. 16, 2014. As a result, Staples is offering free identity protection services, including credit monitoring, identity theft insurance, and a free credit report, to customers who used a payment card at any of the affected stores during the relevant time periods.



During the investigation Staples also received reports of fraudulent payment card use related to four stores in Manhattan at various times from April through September 2014. The investigation found no malware or suspicious activity related to the payment systems at those stores. However, Staples is offering free identity protection services, including credit monitoring, identity theft insurance, and a free credit report, to customers who used their payment cards at those stores during specific time periods.



Staples has taken steps to enhance the security of its POS systems, including the use of new encryption tools.