Staples Breach Compromises Nearly 1.2m Cards

Staples said last week that nearly 1.2 million of its customers’ credit and debit cards may have been compromised, thanks to a security breach that impacted 119 stores between April and September 2014.

Security blogger Brian Krebs first reported on the breach at the end of October after multiple banks connected a number of fraudulent transactions to cards that had been used at Staples locations in the Northeastern United States. At the time, Staples would only confirm that it was looking into a potential incident.

Now the retailer has admitted that point-of-sale systems at 115 of its stores were infected with malware that may have compromised cardholder names, payment card numbers, expiration dates and card verification codes. Staples also received reports of fraudulent payment card use at four other stores in New York between April and September, though an investigation found no malware or suspicious activity on its point-of-sale systems at these locations.

Staples claims to have eradicated the malware and enhanced its security. It also said it worked with outside security experts, as well as law enforcement and payment card companies to resolve the matter.

According to a report by Russian and Dutch security researchers, the criminals who breached Staples
also hit 15 other retailers and have stolen approximately $25 million from banks
. The group, which is believed to be Russian and Ukrainian, has hacked more than 50 Russian banks since early 2013, stealing more than 1bn roubles. Most of the attacks occurred in the last six months.


Related reading