Staples Confirms 1.16 Million Cards Breached In 115 Stores

Back in October, big-box office-supply retailer Staples announced that it was investigating a possible customer payment data breach. The results of that investigation are in: yes, the payment systems of some Staples stores were breached.

While there was some speculation last month that this breach may have been linked to the one at craft retailer and fellow big-box tenant Michaels, it turns out that the two breaches weren’t related, according to security blogger Brian Krebs.

Staples says that about 115 of its stores were hit in this breach, out of a total of 1,400 stores in the chain. (If you’re wondering whether your local store appears on the list, you can download a PDF here.)

The malware first appeared and started slurping up payment data at stores in Jersey City, NJ and Springfield, PA on July 20. 113 other stores joined the breach on August 10, and transactions from that point until Staples caught and disposed of the malware on September 16th. Staples says that its investigation shows that customer payment information that may have been stolen includes cardholder names, card numbers, expiration dates, and card verification codes.

The company also reports some “fraudulent payment card use” traced to four of the chain’s stores in New York City in April and May of this year. That fraud doesn’t appear to be related to the payment system malware, but Staples has announced that breach while they’re at it.

As companies always do when a major breach is announced, Staples is offering affected customers a free credit report, credit monitoring, and identity theft insurance. This isn’t all that useful when the more likely issue would be someone cloning your credit card and living it up. Given that this breach ended more than three months ago, if your card number was stolen, you probably already have a new one and have moved on with your life.

At this point, it may be easier to make a list of national retailers that haven’t reported being breached in the last calendar year.