Staples Investigates Potential Breach in the Northeast

Update: 9:00 a.m. ET: On December 19, Staples, Inc. released a statement outlining their findings regarding a data breach at 115 of their retail locations.

Upon the investigation, Staples confirmed initial suspicions that hackers accessed customer payment card information from their point-of-sale systems using malware.

Approximately 1.16 million payment cards were exposed in the breach. Leaked card information includes cardholder names, payment card numbers, expiration dates and card verification codes.

The attack occurred between August 10, 2014 and September 16, 2014 at 113 of their stores. Two of their stores had malware on their systems starting on July 20. The company has released a list of impacted locations along with dates of exposure.

Staples will offer free identity protection services, including credit monitoring, identity theft insurance and a free credit report to potentially impacted customers. Concerned customers may sign up for these services here.


Update: 9:30 a.m. ET: On November 14, independent security expert Brian Krebs discovered a link between the Staples and Michaels breach. The malware placed on Staples point-of-sale systems was communicating with some of the same networks that hackers used almost a year prior. This connection raises additional concerns regarding the size and scope of this group of hackers.

Staples spokesman, Mark Cautela, explained to Krebs that the company is continuing to work diligently with law enforcement in order to resolve the matter.

“We are continuing to investigate a data security incident involving an intrusion into some of our retail point of sale and computer systems,” Cautela said in a statement emailed to KrebsOnSecurity. “We believe we have eradicated the malware used in the intrusion and have taken steps to further enhance the security of our network.”


StaplesWhat happened?

Staples, Inc, the world’s largest office supply chain, is investigating a potential data breach of customer payment card information.

Independent security expert, Brian Krebs, was first to publicize his initial suspicions after receiving evidence from more than a half-dozen financial institutions:

“Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.”

Staples acknowledges that consumer payment card data may have been exposed. They have since contacted law enforcement authorities and are working with them to resolve the matter.

Currently, the attack appears centralized in select stores in Pennsylvania, New York and New Jersey. Given that Staples owns nearly 2,000 retail locations, this breach has the potential to become disastrous. The company is hopeful that the full extent of the breach will be understood in the upcoming days.

The breach comes just days after Staples announced its smartphone app would now support Apple Pay, a new payment method developed with the primary purpose of increasing security.

What should you do?

Customers who used their payment card at Staples — especially in the Northeast U.S. — should take the following precautionary measures immediately:

  1. Monitor your bank statements for unusual transactions
  2. Check your credit report
  3. Report any unusual activity; remember, credit card companies will not hold customers liable for fraudulent charges as long as they are reported quickly
  4. Contact your financial institution to set up email or text alerts for your credit or debit cards
  5. Stay up-to-date with new fraud and identity theft developments by subscribing to Fighting Identity Crimes or connecting with EZShield on Facebook, Twitter, or Google+

The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.

John is General Counsel and Chief Privacy Officer of Sontiq, the parent company of the EZShield and IdentityForce brands. He is a Certified Compliance...
Read more about John Burcham.

Leave a Comment.