The data breach at the Staples office-supply chain may have affected roughly 1.16 million payment cards as criminals deployed malware to point-of-sale systems at 115 stores, the company said Friday.
The affected stores cover 35 states from California to Connecticut, according to a list Staples released Friday. The chain has more than 1,400 stores in the U.S.
The malware, which allowed the theft of debit and credit card data, was removed in mid-September upon detection, Staples said. The retailer had previously confirmed the incident in October. A previous report from security researcher Brian Krebs around that time cited fraudulent transactions traced to cards that were used for purchases at Staples stores in the Northeastern U.S., but apparently the attack was much wider than that.
The malware may have allowed access to transaction data including cardholder names, payment card numbers, expiration dates, and card verification codes, for purchases made between Aug. 10 and Sept. 16, Staples said Friday.
At two of the stores, the malware may have involved purchases over an even longer period, from July 20 through Sept. 16. Staples has posted a list of all the stores involved on its site.
Staples is offering free identity protection services, including credit monitoring, identity theft insurance, and a free credit report, to any customer who used a payment card at any of the affected stores during the relevant time periods.
Staples is another in a long line of retailers to have had sensitive data stolen this year. The addition of chips to payment cards, used in most of the world but not often in the U.S., could help prevent future attacks. But a broad rollout of the technology may take a long time.