Office supply chain Staples updated the public Friday on a payment card breach that occurred in late summer, conceding that malware was used at some point-of-sale systems at 115 of its more than 1,400 U.S. retail stores.
Overall, the company believes that about 1.16 million payment cards may have been affected. Specific stores and dates can be found here.
KrebsOnSecurity first reported the suspected breach on Oct. 20, 2014, after hearing from several bankers who had identified a pattern of credit and debit card fraud.
Upon detecting the breach, Staples said it “immediately took action to eradicate the malware in mid-September and to further enhance its security.” Staples also retained outside data security experts to investigate the incident.
“Based on its investigation, Staples believes that malware may have allowed access to some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes,” Staples said in today’s statement.
At 113 stores, the malware may have allowed access to data for purchases made from August 10, 2014 through September 16, 2014. At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.
As in all cases of payment data card hacks, customers are usually not responsible for any fraudulent charges on their credit cards, but they should report fraudulent activity in a timely fashion.
“Staples customers who shopped at the affected stores during the relevant time periods should review their account statements and notify their card issuers of any suspicious activity,” the company said.
Staples is offering free identity protection services, including credit monitoring, identity theft insurance, and a free credit report, to customers who used a payment card at any of the affected stores during the relevant time periods.