Staples has confirmed that tue retail payment systems at some of its stores were breached this summer, Bank Info Security reported on Tuesday (Nov. 18).
The office supply chain said last month that it was investigating a suspected breach, after reports of payment card fraud traced to Staples stores in the northeastern U.S. The retailer has now confirmed that there was a malware-related breach, though a company spokesman wouldn’t say how many stores were affected. “We believe we have eradicated the malware used in the intrusion and have taken steps to further enhance the security of our network,” Staples spokesman Mark Cautela said.
But two card issuers told Bank Info Security that they received alerts from payment card brands indicating that the breaches date from July 2 until Sept. 14, and involve stores in New Jersey, New York City and Pennsylvania. Another issuing bank in California said it had also received an alert, but hadn’t seen significant fraud on cards it issued.
While Staples wouldn’t offer a store count, security blogger Brian Krebs reported on Tuesday, citing unnamed sources, that point-of-sale systems at about 100 Staples stores were infected. Staples has more than 2,000 stores in 26 countries, including 1,800 in the U.S. and Canada. Krebs also reported that the malware was similar to that used in the breach at Michaels craft stores that surfaced in January, in which 3 million cards were compromised.
However, unnamed sources close to the investigation told Krebs that far fewer cards were stolen in the theft than thieves might have taken, and it’s unclear what factors may have limited the number of cards stolen.