Several Staples Stores Suffer Data Breach

Staples has joined the rapidly growing list of major retailers that have suffered a data breach this year.

Multiple banks say they have identified a pattern of fraud associated with credit and debit cards that were used at several Staples locations in the Northeast US recently, according to a report by KrebsOnSecurity.

Unlike many of the other major data breaches disclosed recently, the Staples breach appears to have affected only a relatively small subset of the retailer’s 1,800 store-locations countrywide.

Initial data suggests that seven Staples stores in Pennsylvania, three in New York City, and one store in New Jersey appear to have been affected, unnamed bank sources said in the report. There is no information so far on how many cards might have been compromised or if the breach affected other stores as well.

The fraudulent charges have all occurred at non-Staples locations. The pattern of use suggests that the attackers managed to steal card data from cash registers at the affected Staples locations and then used the data to make counterfeit cards.

A Staples spokesman says the company is in the process of investigating a potential issue involving credit card data. “We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis,” he said in a press release.

Though the Staples breach appears to be relatively small, at least based on available information, it is similar in nature to several others that have been reported recently.

Over the past several months, a slew of companies including Home Depot, K-Mart, grocery chain SuperValu Inc., UPS Stores Inc., Dairy Queen, and Goodwill Industries have all reported major credit and debit card compromises.

In most instances, the companies did not know they were breached until third parties notified them of fraudulent activity involving credit and debit cards used at their stores.

The breaches point to a US payment system in full crisis mode, says Avivah Litan, an analyst at Gartner.

As the US Department of Homeland Security and US Secret Service said months ago, at least 1,000 retailers have been compromised by a virulent point-of-sale malware threat called Backoff, Litan notes. It’s almost certain that Staples is just another victim of the same malware, she says.

“The news is just leaking out slowly but surely. The card brands don’t want to spook the public,” she says.

The ongoing migration of the US payments system to smartcards based on the Europay Mastercard Visa (EMV) standard will make it harder for attackers to use stolen credit and debit cards and therefore could reduce some of the incentive for such attacks, she says. “But it’s going to take at least two to three years before it makes a meaningful difference.”

In the meantime, there are several other approaches such as tokenization, point-to-point encryption, and mandatory PIN use that could make a big difference, she advises. “These measures would take less time to implement and would help considerably.”

James Huguelet, principal at The Huguelet Group LLC, a PCI consultancy, says the string of recent breaches is disconcerting.

“While I can only speculate as to why 2014 is proving to be the year for POS breaches, we’ve clearly passed some sort of tipping point,” Huguelet says. “The Target breach seems to have demonstrated to the cyber underground that these systems are often vulnerable and worthy of the time and effort to attack.”