Nearly three months after reports first surfaced suggesting that Staples had experienced a data breach, the Massachusetts-based office retailer acknowledged that criminals used malware at 115 of its stores to steal names, dates and card verification codes for approximately 1.16 million payment cards between July to September.
Staples has over 1,400 retail locations in the U.S., and retained outside security experts to assist in eradicating the malware from its systems. Of the 115 stores affected, only two stores were likely to have been affected between July 20 and Sept. 16. The other 113 stores appear to have been affected between Aug. 10 and Sept. 16.
Staples said it would offer free identity protection services, including credit monitoring, identity theft insurance, and a free credit report, to all customers who used a payment card at any of the affected stores during the relevant time periods. The company provided a list of all affected stores here.
The office supply chain also found during its investigation that payment cards had been fraudulently used at four Staples stores in Manhattan between April and September 2014.
“The investigation found no malware or suspicious activity related to the payment systems at those stores. However, out of an abundance of caution, Staples is offering free identity protection services, including credit monitoring, identity theft insurance, and a free credit report, to customers who used their payment cards at those stores during specific time periods,” the firm stated.
Staples said it has added new encryption tools and enhanced security to its point-of-sale systems as a result of the breach. Staples also recommended that any customers who used their cards during that time check their accounts for fraudulent use.