Bad news for customers of Staplesoffice supply, especially customers in the Northeast: looks like Staples is the latest major retailer to get hacked.
Security blogger Brian Krebs reported yesterday that, according to his sources at “more than a half-dozen” banks operating on the East Coast, customer data appears to have been stolen from at least seven stores in Pennsylvania, three in New York City and one in New Jersey.
Given these limitations – a dozen stores hit out of the 1,800 stores Staples has nationwide – it appears that the hackers did not actually “hack” into the actual Staples database, but most likely installed some sort of malware on cash registers at the actual stores, malware enabling the thieves to steal all credit- or debit-card data used at the affected registers.
The Dairy Queen/Orange Julius security breach from earlier this month was another example: the actual DQ database remained off-limits to hackers, but close to 400 individual stores had card-stealing malware on their cash registers.
A Staples spokesman offered the standard response to the breach, admitting that the company is investigating a “potential issue involving credit card data and has contacted law enforcement.”
Furthermore, “We take the protection of customer information very seriously, and are working to resolve the situation,” and “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on [in] a timely basis.”
So far, Staples has not announced (or does not know) the time frame involved – when did the malware first start lifting numbers, and for how long?
Until more information is available, if you paid with a card at any Staples in Pennsylvania, New Jersey or New York City at any time in the past year or so, you should probably contact your bank and take the usual security precautions.