A little over a month ago office supply chain Staples Inc. confirmed a data breach, today the company has finally acknowledged their systems were compromised by malware and released information that over 1.16 million payment cards were stolen during the time of the breach. The company claims some 119 store were impacted between April and September of 2014, lasting in a six month breach resulting in over one million credit and debit card data being stolen.
Staples began investigating a suspected breach October 20th after numerous financial institutions noticed a string of credit card fraud all leading back to the Staples retailer. Later November the company confirmed the data breach and individuals close to the investigation stated the company may have been infected by the same malware the Michaels retailer was hit with.
In a statement issued Monday, Staples released information regarding the breach, including a list of stores (PDF) infected with the card stealing malware. The company initially believed the breach had only affected Northeastern United States stores, but the breach affected a far wider ranger than initially believed, covering over 35 states nationwide.
“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” Staples said a statement. “At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”
Staples also received reports of payment cards being abused for fraud from four stores located in Manhattan, New York between April and September of this year.
In Staples public statement the company has noted they will offer one free year of identity protection that includes credit monitoring, identity theft insurance and credit reporting to customers who shopped at affected retailers dating back to April.
Security company, Seculert, identified the breach dating it back to April, locking in the timeline at a six month long breach. Chief technology officer, Aviv Raff, said the per-store minimum time to detect and respond the to Staples breach averaged 40 days.
Though the Staples Inc. breach was minimal compared to mass-scale breaches such as Target and Home Depot, the company was hit with the same type of card stealing malware. Due to poorly secured point-of-sale systems the retailers storefront registers were infected with ram scraping malware allowing hackers to steal payment card information.
The attackers that hit Staples do not appear to be associated with the groups that hacked Target and Home Depot earlier this year. Though, the Staples breach is believed to be tied to the Michaels retailer hacking that happened earlier this year.