Retailer Staples has confirmed that point-of-sale malware had been used at 115 of its retail locations in the United States and criminals were able to access 1.16 million payment card numbers during a six-month-long intrusion.
Staples said it removed the malware in September from the affected locations, but the more than one million customers affected have had card data, including cardholder names, payment card numbers, expiration dates and card verification code exposed.
“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” Staples said in a statement. “At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”
Staples said it also received reports of payment card fraud related to its breach at four stores in New York City between April and September of this year.
The retailer provided a list of affected locations, and said it will offer free identity protection services that include credit monitoring, identity theft insurance and credit reporting to customers who used a payment card going back to April.
Security company Seculert locked down the breach timeline as April 1 to Sept. 30, and puts the attackers on the Staples network for 182 days. Seculert estimates the per store minimum breach time to detect and respond was 37 days.
Initially, it was believed the breach was contained to locations in the Northeast, but Staples reports malware at locations in 35 states nationwide.
Security website KrebsonSecurity reported in October that banks were investigating fraud likely tied to Staples locations; Staples said it and law enforcement were investigating a potential issue.
While the Staples breach is dwarfed in the number of lost records by Home Depot and Target, the common link is poorly secured point-of-sale systems and effective malware targeting those platforms and stealing payment card data before it is encrypted. Experts have been for months calling for retailers and vendors to review point-of-sale systems security, and the Department of Homeland’s security Cyber Emergency Readiness Team (US-CERT) warned that the Backoff strain of PoS malware had likely infected more than 1,000 locations in the U.S.
Backoff was particularly worrisome this year. Kaspersky Lab, in August, released a report based on data from two Backoff command and control servers it had sinkholed, and that in two days, close to 100 infected PoS systems in the U.S. and other countries tried to call home.
Point-of-sale malware, also known as a RAM scraper, is injected into running processes on these systems and steals payment card data before it is encrypted at the PoS terminal or the server managing it and is sent off to the payment processor.