On October 21 we reported that several banks had identified a pattern of credit and debit card fraud, suggesting that several Staples office supply stores in the United States had suffered a data breach.
It wasn’t until November 18 that Staples confirmed a data breach had indeed taken place, stating, “We are continuing to investigate a data security incident involving an intrusion into some of our retail point-of-sale and computer systems. We believe we have eradicated the malware used in the intrusion and have taken steps to further enhance the security of our network. “
A month later, Staples has released a statement confirming that it suffered a data breach between April and September, putting 1.16 million card data records at risk.
“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” Staples disclosed. “At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”
A list of affected stores is available here.
Staples has more than 1,400 stores in the US and should consider themselves lucky that only 8% of these stores were affected.