Staples Becomes The Latest Retailer Affected By A Payment Card Data Breach

If you’ve shopped at a major retailer in the U.S., chances are your payment card data has been stolen at some point. Today, it appears you may be able to add Staples to the growing list of retailers who have discovered fraudulent activity related to a data breach in their stores. In Staples’ case, however, the company is currently investigating a “potential issue” in select locations in the Northeastern U.S.

The news was first reported by Brian Krebs, the security expert who broke the story of Target’s credit card breach which ended up affecting up to 110 million consumers, thanks to the timing of the breach which involved going after customer’s payment card and personal information during the busy holiday shopping season.

It’s unclear at this time how large the Staples breach may turn out to be compared with other attacks, but it initially sounds as if it may be smaller in scale.

According to Krebs’ blog post on the matter, “it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey,” he writes, citing over a half-dozen sources at East Coast banks.

That would indicate that Staples breach may be smaller than others, given that the company operates over 1,800 U.S. stores, and it’s looking into just a handful.

The fraudulent activity was actually detected at non-Staples stores, says Krebs, which suggests that thieves used malware to steal the payment card info to create and use counterfeit cards.

Staples now joins a long list of retailers whose systems have come under attack over the years. One of the largest was the 2009 attack on card processor Heartland Payment Systems which saw thieves stealing an estimated 130 million credit cards. Before that, in 2007, crooks stole 90 million cards from TJX (parent company of T.J. Maxx).

But more recently, the attacks have continued. In addition to Target, major retailers affected by breaches have included Home Depot, which saw 56 million cards compromised over a 5-month period – bigger than the attack on Target. (Only 40 million credit and debit cards were breached at Target, but 70 million more had their personal information stolen.) Nieman Marcus was another big name in recent breaches, though fewer were affected – about 1.1. million credit cards were compromised, the retailer said. Grocer Supervalu Inc. and Asian restaurant chain P.F. Chang’s also reported attacks in recent months.

Staples says it’s working with law enforcement, but isn’t providing additional information beyond confirmation of the investigation at this time.

A spokesperson for Staples provided the company’s official statement (see below) when questioned for more information:

Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement. We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.