In October 2014, Staples announced that it was collaborating with law enforcement to investigate a potential breach. The office supply retailer has since revealed that point of sale systems in 119 stores were infected with malware. Through the entirety of breach, which extended from April 2014 to September 2014, 1.16 million credit and debit cards may have been stolen.
Upon detection, Staples focused on eradicating the malware and partnered with outside data experts to further investigate the incident. Based on this detailed inspection, the retailer reported that the malware may have allowed access to transaction data at affected stores, including cardholder names, payment card numbers, expiration dates and card verification codes.
The malware may have provided access to this data for purchases made from Aug. 10, 2014, through Sept. 16, 2014 in 113 stores. But in two stores, the malware hit earlier, providing access to data from purchases made from July 20, 2014 through Sept. 16, 2014. The retailer provided a detailed list of all stores that were hit by the breach.
During its investigation, Staples also received reports of fraudulent payment card use in four stores across New York City between April and September 2014.
“The investigation found no malware or suspicious activity related to the payment systems at those stores,” the company noted in a statement. “However, out of an abundance of caution, Staples is offering free identity protection services, including credit monitoring, identity theft insurance, and a free credit report, to customers who used their payment cards at those stores during specific time periods.”