Office supply chain Staples said Friday that a hack attack on some of its retail outlets earlier this year may have affected 1.16 million payment cards used by customers, giving attackers access to cardholder names, card numbers, expiration dates and card verification codes.
It's the latest news of an attack involving hackers placing malware, or malicious software, on point-of-sale systems. In September, home-improvement chain Home Depot saidby such an attack. Prior to that, at the end of 2013, in a similar breach the chain estimated could have affected a third of the US population. Art-supply chain , department store and restaurant chain have also been victims of data breaches.
Staples said the malware attack spanned the country, affecting 115 of its more than 1,400 US stores from New York to California and that it involved purchases made from late July through mid-September. Another four stores, in Manhattan, may have seen fraudulent payment card use from April through September, though no malware was detected at those outlets.
The company is offering free identity protection services -- including credit monitoring, identity theft insurance and a free credit report -- to customers who used their cards at the affected stores during the specific time periods. The company released a complete list of stores and dates, which is available online (PDF).
Staples had said in October that it was
"Typically, customers are not responsible for any fraudulent charges on their credit cards that are reported in a timely fashion," the company said in a statement Friday. "Staples customers who shopped at the affected stores during the relevant time periods should review their account statements and notify their card issuers of any suspicious activity."