Over the weekend, Staples officially confirmed what various security experts and banking professionals have suspected since October: hackers used malware to successfully steal the payment-card information of millions of customers who shopped at various Staples stores between April and September 2014.
Security blogger Brian Krebs first reported on Oct. 20 that his sources from a half-dozen different banks and other financial institutions suspected that customer data had been stolen from at least 11 different Staples stores: seven in Pennsylvania, three in New York City and one in New Jersey.
Turns out the actual damage was far more widespread. Late last Friday afternoon, Staples spokespeople released a statement admitting that “criminals [had] deployed malware to some point-of-sale systems at 115 of its more than 1,400 U.S. retail stores.”
Staples also released a list, available in .pdf form here, identifying which specific stores were hit and when (though April is listed as the “official” start of this particular breach, most of the stores on that list didn't have their security compromised until August). The affected stores are divided among 35 different states.
Krebs spoke to Aviv Raff, the chief technology officer for Seculert, who said that on average, the amount of time it takes a typical store to notice and respond to such a security breach is about 40 days. Indeed, if you think about all the various retail or business hacking stories you've read about these past couple of years – or all the various times you personally had to cancel your accounts and get various payment cards re-issued after they'd been compromised in a breach – you never, ever see timelines like this: “Hackers got in on Monday, we noticed the problem on Wednesday and fixed everything before the weekend.”
If you've used a payment card to buy anything at any Staples store in the past eight months, you should check this .pdf list to make sure your store isn't on it. If it is, contact the compny which issued your card and take all the usual card-security precautions.