Skip to main content

Staples Stores Possibly Hit by Credit-Card Thieves

Credit: Staples, Inc.

(Image credit: Staples, Inc. )

Several Staples office supply stores in the Northeastern United States may have been hit with a payment-card data breach. Staples confirmed that it was investigating a potential issue.

Independent security reporter Brian Krebs first broke the story of the possible breach, reporting that sources at multiple U.S. banks had told him about a pattern of recent credit- and debit-card fraud that seems to trace back to specific Staples store locations.

MORE:10 Worst Data Breaches of All Time

The allegedly affected Staples stores are located in Pennsylvania, New Jersey and New York City. It's not clear which specific locations were affected, nor for how long the breaches lasted.

Krebs' sources told him they were investigating fraudulent debit- and credit-card charges that seemed to trace back to 11 separate Staples store locations. The fraudulent charges also occurred at other businesses located in the Northeast, such as supermarkets and other large retail locations.

"This suggests that the cash registers in at least some Staples locations may have fallen victim to card-stealing malware that lets thieves create counterfeit copies of cards that customers swipe at compromised payment terminals," Krebs wrote in a post on his blog.

Alternately, it's possible the retail locations may have been targeted by a "carder" gang, who would buy card numbers from corrupt cashiers. Such relatively low-tech card theft is common in the New York area.

A Staples representative told Krebs that the company is investigating a "potential issue involving credit card data." Staples has also notified law enforcement of the possible issue. 

Even if this breach is confirmed, it's still nowhere as serious as the recent breaches at Target or Home Depot. Staples has more than 1,800 store locations in the United States, but only a handful of Northeastern locations appear to be affected.

Still, if you believe you may have been affected, you should check your bank accounts for any fraudulent or suspicious transactions, and contact your bank. You can also contact each of the three major U.S. credit-monitoring agencies — Experian, TransUnion or Equifax — and request a free credit alert on your card. These alerts expire every 90 days, but you can renew them indefinitely.

You may also consider requesting a credit report. Each of the three agencies are required to give all U.S. residents one free credit report per year.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, onFacebook and on Google+.