Staples first announced it was investigating a potential data breach in the Northeast in October. Staples released details of its investigation on Friday, just as the holiday shopping season comes to a close.
The breach affects those who shopped at a small fraction of Staples stores between July 20 and Sept. 16 this year. Cybercriminals now know a shopper’s name, card number, its expiration date and card verification code.
The breach affected 115 of the company’s approximately 1,400 office supply stores in the United States. A web page has been set up noting which stores were affected.
The damage to victimized Staples customers will be minimal, as banks typically shield them from fraud.
Staples is also offering free identity protection, identity theft insurance and a free credit report.
That might be a good public relations move for the company, but in reality, it’s useless gesture. It doesn’t take the valuable stolen data out of criminal’s hands. Criminals now know your name and bank, which is useful information when paired with other personal data available on the black market.
Staples apology is a familiar template for any company that loses your data: “Staples is committed to protecting customer data and… has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools.”
It’s unclear why Staples hadn’t installed these protections sooner, given that the Target hack in late 2013 was a wake-up call for the retail industry.
Staples now joins the lengthy list of companies whose payment systems were attacked by hackers in the past 12 months: Albertson’s, Home Depot, Michaels, Neiman Marcus, P.F. Chang’s, Target and SuperValu.
Staples did not respond immediately to requests for further comment.