Staples: Breach may have affected 1.16 million customers’ cards

Staples Begins Recyling Electronics To Tackle "E-Waste"
MOUNT PROSPECT, IL - SEPTEMBER 29: A shopper departs a Staples store September 29, 2005 in Mount Prospect, Illinois. Staples is the first large chain store to begin recycling discarded electronic items, including old cell phones, pagers, portable handheld devices and used printer-ink cartridges. (Photo by Tim Boyle/Getty Images)
Photograph by Tim Boyle — Getty Images

Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October.

The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers’ credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached.

Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers’ names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said.

Staples, which has more than 1,400 retail locations, said the data breach impacted stores in 35 states. The company said its investigation found reports of fraudulent card use at four of its Manhattan locations between April and September 2014, although Staples found no evidence of malware at those locations.

“Staples is committed to protecting customer data and regrets any inconvenience caused by this incident,” the company said in its announcement. “Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools,”

The company is offering free identity protection services such as credit monitoring, identity theft insurance and a free credit report to any customers who shopped at the affected stores during the time periods when the malware was active. Staples also reiterated that customers are generally not responsible for any fraudulent charges and reminded its customers to monitor their financial accounts for any suspicious activity.

Staples’ stock (SPLS) dipped about 0.5% on Friday, but the company’s shares are actually up more than 40% since news of the possible breach in October.

Cyber security is a hot button issue across corporate America at the moment, especially in light of last month’s debilitating and embarrassing hack at Sony Pictures Entertainment. (Earlier this week, Fortune‘s Dan Primack pondered whether or not the hacks at Sony and elsewhere might actually be a boon to Staples’ business by spurring a renaissance of sorts for paper-based communication as a way of avoiding digital predators.)

For the most part, though, U.S. retailers have been targeted in most of the recent high-profile data breaches, with companies such as Target (TGT), Home Depot (HD) and Kmart falling victim along with tens of millions of their customers. Meanwhile, in October, JPMorgan Chase (JPM) revealed that hackers gained access to the contact information of roughly 76 million households and another 7 million small businesses through a data breach at the massive bank.