Staples: Hack may have affected more than a million payment cards

The office supply chain says a breach that took place earlier this year gave attackers access to cardholder names, card numbers, expiration dates and card verification codes.

Edward Moyer Senior Editor

Edward Moyer is a senior editor at CNET and a many-year veteran of the writing and editing world. He enjoys taking sentences apart and putting them back together. He also likes making them from scratch. ¶ For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.

Credentials

Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.

See full bio

Edward Moyer

Dec. 19, 2014 4:59 p.m. PT

2 min read

Staples joins Target, Home Depot and a host of other retailers that have become victims of hacking attacks. CNET

Office supply chain Staples said Friday that a hack attack on some of its retail outlets earlier this year may have affected 1.16 million payment cards used by customers, giving attackers access to cardholder names, card numbers, expiration dates and card verification codes.

It's the latest news of an attack involving hackers placing malware, or malicious software, on point-of-sale systems. In September, home-improvement chain Home Depot said 56 million credit cards had been put at risk by such an attack. Prior to that, at the end of 2013, Target was attacked in a similar breach the chain estimated could have affected a third of the US population. Art-supply chain Michaels Stores, department store Neiman Marcus and restaurant chain P.F. Chang's have also been victims of data breaches.

Staples said the malware attack spanned the country, affecting 115 of its more than 1,400 US stores from New York to California and that it involved purchases made from late July through mid-September. Another four stores, in Manhattan, may have seen fraudulent payment card use from April through September, though no malware was detected at those outlets.

The company is offering free identity protection services -- including credit monitoring, identity theft insurance and a free credit report -- to customers who used their cards at the affected stores during the specific time periods. The company released a complete list of stores and dates, which is available online (PDF).

Staples had said in October that it was ""="" shortcode="link" asset-type="article" uuid="68772ed1-b6cb-4150-8fbb-4c421ccdc301" slug="staples-probes-potential-theft-of-customer-credit-card-data" link-text="investigating a " section="news" title="Staples probes potential theft of customer credit card data" edition="us" data-key="link_bulk_key" api="{"id":"68772ed1-b6cb-4150-8fbb-4c421ccdc301","slug":"staples-probes-potential-theft-of-customer-credit-card-data","contentType":null,"edition":"us","topic":{"slug":"cybersecurity"},"metaData":{"typeTitle":null,"hubTopicPathString":"Tech^Services and Software^Online^Cybersecurity","reviewType":null},"section":"news"}">

"Typically, customers are not responsible for any fraudulent charges on their credit cards that are reported in a timely fashion," the company said in a statement Friday. "Staples customers who shopped at the affected stores during the relevant time periods should review their account statements and notify their card issuers of any suspicious activity."