Office-supply chain retailer Staples Inc. today shed further light on its recent data breach, with new details indicating it was far worse than initial reports.
Originally uncovered in October when veteran security journalist Brian Krebs revealed a breach had likely taken place, the Staples data breach was originally linked only to fraudulent transactions made with cards stolen from the company's locations in New York, Pennsylvania and New Jersey. Staples had failed to provide any clarification in its latest 10-Q filing to the U.S. Securities and Exchange Commission in November.
On Friday the company has provided an update that estimates approximately 1.16 million payment card numbers may have been affected, as well as other transaction data including cardholder names, expiration dates and verification codes. Staples also confirmed that point-of-sale malware may have infected 115 systems at more than 1,400 of its 1,800 plus U.S. stores from July 20 until Sept. 16, when the company, based in Framingham, Mass., said it began the process of eliminating the malware.
Staples denied that it found any malware activity on its systems predating July 20, though the firm received reports that fraudulent payments were made with customers' cards used at four Manhattan locations dating back to April. Still, the company will offer credit monitoring, credit reports and other measures to customers that used payment cards in stores dating back to that period.
Staples provided a full list of the stores believed to have been compromised by the malware.
"Staples is committed to protecting customer data and regrets any inconvenience caused by this incident," the company wrote in its statement. "Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools."
RAM scraping point-of-sale malware has already been the subject of several U.S. government warnings to businesses this year, and the Backoff malware was speculated to have infected more than 1,000 businesses. Learn how whitelisting technology may be able to help your company defeat POS malware infections.