On October 14, Brian Krebs reported on Krebs on Security that several banks identified a pattern of credit and debit card fraudulent activity suggesting that several Staples, Inc. office supply stores in Pennsylvania, New York, and New Jersey experienced a data breach.
The banks were alerted when fraudulent charges surfaced at other (non-Staples) businesses. Generally, that means point-of-sale systems at Staples were breached with card-stealing malware that was used to obtain card information. That card information subsequently was used to make purchases at other stores.
On Tuesday, Staples issued a statement that it is investigating “a potential issue” with its customers’ credit card data. Security experts believe, but it has not yet been confirmed, that the malware used in this attack is similar to the “BlackPOS” software hackers employed to steal card information from Target, Home Depot, and Dairy Queen customers. If it is the same malware, then all Staples customers who used cards during the time the malware was infecting Staples’ POS system can expect that their card numbers were harvested by the hackers for resale on the black market.
Staples has not yet informed the public as to the extent of the breach. It would be prudent for Staples to move quickly regarding notification to the victims of the breach. Otherwise, Staples can expect increased fines and sweeping investigations.