Staples hit by data breach: What to do now [updated]

Facade of a Staples store in Cape Coral, Florida.
(Image credit: John Mantell/Shutterstock)

UPDATED with comment from Staples.

There's been a data breach at U.S. office-supply retailer Staples, but we don't yet know how many people might have been affected. (Update: Staples says it was fewer than 2,500.)

Australian security researcher Troy Hunt, who runs the HaveIBeenPwned website (where you can check to see if your information was part of a data breach), on Sunday used his Twitter account to post a copy of an email message sent to an unknown number of Staples online customers.

"We recently learned of unauthorized access to a limited number of non-sensitive customer order data on Staples.com, which may have included information about one of your orders," the email message said. 

That information "may have included your name, address, email, phone number, last four digits of your payment card, and information about the cost, delivery and product ordered," the message continued. "It did NOT include your account credentials [i.e., your username and password] or full payment card number, and there is no indication that it resulted in any purchases being made on your behalf."

See more

In response to angry people on Twitter, Hunt explained that "non-sensitive data" is defined differently depending on legal jurisdiction. In many instances, names, addresses and phone numbers would be considered public records. 

Persons affected by this data breach might see an uptick in the number of spam email messages, text messages and phone calls they receive, and might possibly be at greater risk of phishing attacks. 

However, the information stolen in the data breach wouldn't be very useful to someone trying to steal your identity or credit-card number or hijack your Staples account.

Staples Canada does not seem to be affected by this data breach. Bleeping Computer reported that the breach at the U.S. Staples website appears to have taken place around Sept. 2.

Concerned Staples customers can call the company at (800) 338-0252 and select Option 3. 

We could find no mention of this breach on the Staples website. We've asked Staples for comment and information on how many customers may have been affected, and we will update this story when we receive a reply.

Staples last had a security issue of this size way back in 2014, when credit-card thieves infected the payment systems of more than 100 Staples retail stores with malware designed to swipe credit-card details.

Update: Staples responds

A Staples spokesperson responded to Tom's Guide's query and provided us with this statement:

"Staples recently learned of unauthorized access to a limited amount of non-sensitive customer order data on Staples.com. Information from fewer than 2,500 orders was affected. 

We investigated and took steps to remedy the situation. The company takes the protection of its customers' data seriously and has notified users whose order data was determined to have been impacted."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.