The electronics retail giant published a more detailed timeline on Friday following an investigation that launched this fall.
Investigators believe malware penetrated Staples' point-of-sale systems at 113 of its more than 1,400 retail locations nationwide, which may have permitted access to customer data stemming from purchases made between August 10 and September 16.
The problem is worse for at least two unspecified locations where data could have been vulnerable as long as July 20 through September 16.
Staples admitted approximately 1.16 million payment cards may have been affected.
Transaction data that could have been compromised consists of cardholder names, payment card numbers, expiration dates, and card verification codes.
Staples insisted it took action by mid-September to "eradicate the malware" and upgrade security amid retaining data security experts to conduct the investigation. The Massachusetts-based company added it sought out help from both credit card companies and law enforcement agencies.
So far, Staples said it already received reports of fraudulent credit card use at four retail locations in New York City between April and September 2014, but investigators didn't link these incidents with malware or any other relevant suspicious activity.
Furthermore, Staples did not provide any further details about potential suspects and/or arrests related to the attack.
Staples is offering customers who used a payment card during those time frames with free access to identity protection services, such as credit monitoring, identity theft insurance, and a free credit report.