Staples investigates possible data breach, credit card fraud

Staples has become the latest US retailer to have potentially suffered cyberattack.
Written by Charlie Osborne, Contributing Writer

Staples is investigating a possible data breach which may have resulted in the loss of customer credit card data.

Originally reported by Krebs on Security, the US retailer may be the latest victim in a string of high-profile outlets that have suffered recent cyberattacks. At least half a dozen banking sources told Krebs that "a pattern of credit and debit card fraud" suggests that customer data may have been stolen from a number of Staples outlets.

According to the bank sources, fraudulent transactions have taken place at non-Staples outlets — including supermarkets — but the pattern of fraud implies that point-of-sale (PoS) systems at Staples may have fallen afoul of malware which lifts credit card details and allows for replicas to be generated and used.

Framingham, Mass.-based Staples accounts for over 1,800 stores across the United States, as well as outlets in other countries. However, in the face of stiff Internet competition, the office equipment supplier's sales have been hurt — resulting in the need to slash $500 million in costs and close 225 stores by the end of next year — and a potential data breach will not help the firm weather the financial storm.

Stores which may have been affected include seven in Pennsylvania, at least three in New York City, and one in New Jersey.

In a statement, company spokesman Mark Cautela said Staples is investigating a "potential issue involving credit card data and has contacted law enforcement."

"We take the protection of customer information very seriously and are working to resolve the situation," Cautela said. "If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."

If confirmed, Staples will follow the likes of Target, Neiman Marcus and Home Depot, joining the ranks of US retailers hit by cyberattacks this year. Target was struck late last year, and lost approximately 40 million customer records containing financial data such as debit and credit card information, as well as roughly 70 million accounts which contained addresses and mobile numbers. Neiman Marcus's security breach resulted in the loss of 1.1 million cards, and Home Depot suffered an attack where 56 million payment cards were compromised by malware.

Read on: In the world of security

Editorial standards