Staples, Framingham, Mass., provided an update Friday—two months after its potential credit breach first was announced.
An investigation determined that malware was placed on some point-of-sale systems at 115 of its more that 1,400 U.S. retail stores. When detected in mid-September, Staples removed the threat and enhanced its security, including the use of new encryption tools and the hiring of data security experts to investigate the incident.
Compromised information from the 1.16 million credit cards may have included cardholder names, payment card numbers, expiration dates and card verification codes after a transaction at an affected store. The company’s promotional products arm was unaffected.
The majority of the 115 stores that spanned 35 states was affected between Aug. 10 and Sept. 16. However two stores—one in Jersey City, N.J. and another in Springfield, Pa.—were compromised beginning July 20.
Staples is offering free identity protection services, including credit monitoring, identity theft insurance and a free credit report to customers who used a payment card at any of the affected stores during the relevant time periods.
During the investigation, Staples also learned of fraudulent payment card use at four Manhattan, New York stores beginning as early as April 1 and continuing as late as Sept. 30. While no malware or suspicious activity involving the payment systems were found, to be cautious, Staples is also offering the same services to customers who used those stores during the designated times.
