113 stores compromised between August 10 and September 16

Dec 20, 2014 11:38 GMT  ·  By

Office supply retailer Staples provided updated details regarding its investigation of a data breach reported by third parties in October, revealing that information of about 1.16 million payment cards may have been affected by the incident.

The company discovered that point-of-sale systems at 115 locations had been compromised, two of them having been infected as early as July 20, 2014, while at the rest of them the malware accessed payment data starting August 10, 2014.

After receiving information about a possible intrusion, Staples started an investigation and also alerted law enforcement. News about a compromise at Staples came after several financial institutions found that data of cards used at the office supply retailer was available for sale on underground forums.

At that time, Mark Cautela, Staples’ Senior Public Relations Manager, said that an intrusion could not be confirmed but efforts were made to determine the accuracy of the claims.

Intruders stole CVC numbers

On Friday, the company announced in a statement that a breach had indeed affected the business and that it lasted until September 16, 2014.

“Overall, the company believes that approximately 1.16 million payment cards may have been affected,” the official communication says.

The details exposed in the breach include the cardholder’s name, card number, expiration date, and card verification codes (CVC). These details are enough to allow someone to make online purchases, as observed initially by the financial institutions that suspected a breach at Staples.

CVC values are the numbers on the back of the card, required for “card-not-present” transactions, such as those carried out online. They are used to reduce online fraud risk, for confirming that the shopper actually has the card in their possession.

As per PCI DSS (Payment Card Industry Data Security Standard), these numbers should not be stored by merchants, specifically to address this concern.

Customers not responsible for fraudulent charges

In the official disclosure statement, Staples links to a document containing all the stores that have been affected by this incident. It includes locations in 35 states in the US and the duration of the breach.

All customers who used their cards at these stores during the incident are offered complimentary identity protection services, which include credit monitoring, identity theft insurance, and a free credit report.

They are not responsible for fraudulent charges if the suspicious activity is reported in a timely fashion. It is recommended that they check the account statements in order to identify fraud attempts, and report them to their card issuers.