In the data breach at the office supply retail chain Staples, a recent investigation found roughly 100 of the retailers storefront locations to be infected with malwre, experts also believe the Staples data breach may be tied to the Michaels craft store breached earlier this year.
Security expert, Brian Krebs was alerted by various banking institutions claiming that they have received alerts from Visa and MasterCard about cards impacted in the Staples breach, saying that a subset of Staples locations were compromised between July and September of 2014.
Anonymous sources briefed on the investigation told Krebs the breach involved “card-stealing malicious software” installed on the retailers Point-of-Sale devices, commonly known as cash registers, at approximately 100 Staples storefront locations. Framingham, Massachusetts-based Staples operates more than 1,800 storefronts nationwide.
Staples spokesman Mark Cautela did not choose to disclose details involving the breach, only noting the company believes it has found the malware culprit and removed it from their systems.
“We are continuing to investigate a data security incident involving an intrusion into some of our retail point of sale and computer systems,” Cautela said in a emailed statement. “We believe we have eradicated the malware used in the intrusion and have taken steps to further enhance the security of our network. The Company is working with law enforcement and is investigating whether any retail transaction data may have been compromised. It is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”
Sources briefed on the investigation said the malware found in Staples locations was communicating with the same command-and-control center attackers used during the intrusion at Michaels, another retailer affected by a data breach at the beginning of 2014. Michaels was breached two times over a period of eight months, resulting in the theft of three million customer credit and debit cards.
Sources close to the investigation compared the Staples data breach to the recent nationwide grocer Albertsons breach, noting that the breaches resulted in less customer credit and debit cards stolen than hackers had access too. It remains unclear what factors hindered the Staples hackers to breach so few payment card information, especially compared to the tens of millions of payment card data stolen in breaches at similar nationwide retailers including Home Depot, which put 56 millions cards at risk, and Target, which put over 40 million cards at risk.
We can expect to see a rise in major retail chains reporting hacks as Black Friday approaches, which could be a party if hackers successfully intrude. Many retailers continue to handle credit and debit card information in an unencrypted format while leaving their networks vulnerable to attack.
It is highly recommended all retailers audit their security systems before the Black Friday surge.
Staples can now add themselves to the never ending list of breached retailers.