Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result.
KrebsOnSecurity first reported the suspected breach on Oct. 20, 2014, after hearing from multiple banks that had identified a pattern of credit and debit card fraud suggesting that several Staples office supply locations in the Northeastern United States were dealing with a data breach. At the time, Staples would say only that it was investigating “a potential issue” and had contacted law enforcement.
In a statement issued today, Staples released a list of stores (PDF) hit with the card-stealing malware, and the stores are not limited to the Northeastern United States.
“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” Staples disclosed. “At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”
However, the company did say that during the investigation Staples also received reports of fraudulent payment card use related to four stores in Manhattan, New York at various times from April through September 2014.
Aviv Raff, chief technology officer at Seculert, said the per-store minimum time to detect and respond to the breach was an average of 40 days.
“Once again, much like previous breaches, the statistics of the Staples’ breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible,” Raff said.
It appears that the attackers responsible for the Staples break-in are not the same group thought to have hit Target and Home Depot. In November, I posted a story that cited sources close to the Staples investigation saying the breach at Staples impacted roughly 100 stores and was powered by some of the same criminal infrastructure seen in the intrusion disclosed earlier this year at Michaels craft stores.