Office-supplies chain Staples has confirmed it suffered a payment-systems data breach earlier this year, in which 1.16 million customer credit and debit cards used at 119 Staples locations in 35 American states were stolen over a period of up to six months. The criminals behind the breach appear to have already used the card data for fraud.
If you think you may have used a debit or credit card at a Staples retail location between April and September of this year, read on to find out how you can protect yourself from fraudulent card activity and more.
News of a possible breach at Staples broke in October, when independent security reporter Brian Krebs reported that several U.S. banks were investigating fraudulent payment card charges that appeared to trace back to Staples. At the time, Staples said only that it was investigating a potential issue.
Late Friday afternoon (Dec. 19) Eastern time, Staples confirmed that payment-card systems at 115 of its roughly 1,400 US locations had been infected with a type of malware that was stealing customers' payment information, including credit- and debit-card numbers, cardholder names, expiration dates and magnetic-strip card verification codes (but not the verification codes printed on the cards).
Those 115 stores were initially infected in July or August of 2014. The other four stores, all located in Manhattan, seem to be connected to fraudulent card activity dating back to various points between April and August, but Staples reported that it had found no malware at those locations.
Staples has released a full list of the compromised store locations and the dates during which they were compromised.
If you used a payment card at an affected Staples location during the exposure window, Staples will give you a year of free credit monitoring, as well as identity-theft insurance and a free credit report, all via Experian. To claim these services, visit this website. You can also call Staples' customer support hotline at (866) 274-4371 from 9 am to 9 pm EST on weekdays, or 11 am to 8 pm EST on weekends.
You can also take some steps yourself to minimize the risk of payment-card fraud. (There's not much risk of identity theft if all that was stolen was credit-card data.) Check your card and bank balances every couple of days for the next few weeks, preferably via telephone. Also, each of the three major credit-reporting agencies — Experian, TransUnion and Equifax — must give all U.S. residents one free credit report per year if asked.
You can also place a free credit alert on your file via one of these agencies, which will notify the other two. You will be notified if anyone tries to run a credit check on you or tries to open an account in your name. Free credit alerts expire after 90 days, but can be renewed indefinitely.
- How to Protect Yourself from Data Breaches
- How to Survive a Data Breach
- How to Buy Stolen Credit Cards from the 'Amazon of Cybercrime'
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, onFacebook and on Google+.