In early December, Staples customers learned more details about last fall’s wide-scale data breach.
Financial information for more than 1.16 million customers who shopped at 115 Staples stores throughout the U.S. between Aug. 10 and Sept. 16, 2014, was believed to have been accessed by computer hackers. This data breach included credit card information, cardholder names, expiration dates and PIN data.
The breach was announced to the public in October, and customers who had shopped at the affected stores in the suspected time period were asked to take a variety of preventative measures to either detect or protect access to their personal bank accounts, such as changing passwords or alerting credit card companies to monitor for unusual transactions.
Staples apologized for the breach and said it only represented a small percentage of its 1,400 retail stores. But it did offer free identity protection services to customers at the affected stores who used payment cards during specific time periods.
Along with informing the public that certain store systems were compromised, Staples launched an investigation, which wrapped up in December 2014.
The first set of findings from the investigation was recently released and gave more details about the methods of the data breach, along with new information that some stores may have been affected earlier in the year than the office supply chain originally was aware of.
The primary breach was a result of malware that was somehow installed on Staples point-of-sale systems at the stores. These unauthorized piece of software were difficult to detect and were able to make some behind-the-scenes changes, including communicating with other infected computers and sharing information about customer payment card transactions.
For the most part, the malware was detected by mid-September, and efforts were made to combat it by improving its computer security measures and installing more preventative tools, although personal information likely could have been removed prior to this.
Staples officials believe that the specific malware was in place as early as July 20 at a store in Springfield, Penn., and a store in Jersey City, N.J.
It extended its offer of free identity protection services to anyone who shopped at these locations between these dates, not just the August-September time period when the breach occurred at the other stores.
Over the course of the investigation, it also showed that fraudulent payment cards were used in four New York stores between April and September. Though malware wasn’t believed to have been connected to these crimes, the identity protection service was made available to shoppers during this time period.
This is the third financial breach of a major retailer in just over a year.
In December 2013, computer hackers gained access to more than 40 million credit cards plus other personal information from 110 million shoppers around the U.S. An investigation concluded that the culprits successfully breached the network of one of Target’s HVAC contractors, which then allowed them to bypass Target’s security and discover customer data.
The Home Depot reported last spring that hackers gained access to 56 million credit cards accounts and 53 million customer email addresses. Here, a similar tactic was used of accessing a vendor system.