Staples Reports 1.2 M Payment Cards Affected by Malware Data Breach

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Dec. 22 — Staples Inc., the world's largest office-supply store chain, Dec. 19 announced that nearly 1.16 million customer payment cards were affected by a previously announced data breach.

Malware infected point-of-sale systems at 115 of the company's 1,400 retail stores in the U.S., the company said in a statement.

The malware affected payment card purchases in 113 of the stores from Aug. 10 to Sept. 16 and at the other two stores from July 20 to Sept. 20, Staples said.

According to a fact sheet provided by the company, Staples discovered the breach in mid-September.

Framingham, Mass.-based Staples announced Oct. 21 that it was investigating a hacking breach. 

Financial Impact?

Staples reiterated that it was investigating the breach in a Form 10-Q quarterly earnings report filed Nov. 19 with the Securities & Exchange Commission. As of Dec. 22, the company hasn't detailed to the SEC possible financial consequences of the breach but did note in the quarterly earnings report that it carries “network-security” insurance “which we expect would help mitigate any material financial impact.”

The Staples data theft adds to a wave of breaches at companies such as Home Depot Inc., Target Corp., Kmart and Neiman Marcus Group Ltd. that have put pressure on retailers to bolster payment card security. 

Staples said it has eradicated the malware infection and has enhanced its payment card security. It is offering affected customers free credit monitoring, identity theft insurance and a free credit report.