Staples says as many as 1.16 million customer credit cards may have been compromised as part of a malware attack on some of its point-of-sale systems earlier this year. Today the company released some of its findings of an investigation into the attacks, saying that malware was found in 113 of its US stores, and may have affected purchases at those locations made between August 10th, 2014 and September 16th, 2014. Staples added that at two stores, the malicious software could have been running unseen for even longer, dating all the way back to late-July.
Attackers could have accessed card names and numbers
Staples says it removed the malware from its systems back in mid-September, and has since bolstered its security with newer encryption tools. That didn't stop attackers from potentially getting customer credit card numbers, verification codes, expiration dates, and full cardholder names before those extra measures were added. Staples says it plans to offer free identity protection services to customers that shopped at those stores with their cards, including credit monitoring and identify theft insurance.
Besides the malware issue, Staples disclosed what it says were "reports of fraudulent payment card use" at four of its stores in Manhattan, but said that there was no malware or "suspicious activity" at those locations. Nonetheless, the company says it's also erring on the side of caution, and offering similar identity protection to people who shopped there as well.
This breach is tiny compared to Target and The Home Depot
Staples acknowledged the potential of a breach back in October, saying it was beginning its own investigation into the matter. That was preceded by a dispatch from cyber security expert Brian Krebs, who reported "a pattern of credit and debit card fraud," that had been picked up on by several East Coast banking sources, and was believed to be tied to point-of-sale malware.
Both the number of stores, as well as the potential list of affected cards is quite low compared to high-profile retail security breaches that occurred in the past year or so. The one on Target last December claimed 40 million credit and debit cards, as well as the personal information of approximately 110 million Target shoppers, something that's led to to a lawsuit from consumers against the retail giant. There was also the hacking effort against The Home Depot, which compromised approximately 56 million credit cards.
Staples has published the full list of affected stores, and the dates when the malware was in operation here.