Skip to main content

Staples Data Breach: What to Do Now

Office-supplies chain Staples has confirmed it suffered a payment-systems data breach earlier this year, in which 1.16 million customer credit and debit cards used at 119 Staples locations in 35 American states were stolen over a period of up to six months. The criminals behind the breach appear to have already used the card data for fraud.

If you think you may have used a debit or credit card at a Staples retail location between April and September of this year, read on to find out how you can protect yourself from fraudulent card activity and more.

MORE:10 Worst Data Breaches of All Time

News of a possible breach at Staples broke in October, when independent security reporter Brian Krebs reported that several U.S. banks were investigating fraudulent payment card charges that appeared to trace back to Staples. At the time, Staples said only that it was investigating a potential issue.

Late Friday afternoon (Dec. 19) Eastern time, Staples confirmed that payment-card systems at 115 of its roughly 1,400 US locations had been infected with a type of malware that was stealing customers' payment information, including credit- and debit-card numbers, cardholder names, expiration dates and magnetic-strip card verification codes (but not the verification codes printed on the cards).  

Those 115 stores were initially infected in July or August of 2014. The other four stores, all located in Manhattan, seem to be connected to fraudulent card activity dating back to various points between April and August, but Staples reported that it had found no malware at those locations.

Staples has released a full list of the compromised store locations and the dates during which they were compromised.

If you used a payment card at an affected Staples location during the exposure window, Staples will give you a year of free credit monitoring, as well as identity-theft insurance and a free credit report, all via Experian. To claim these services, visit this website. You can also call Staples' customer support hotline at (866) 274-4371 from 9 am to 9 pm EST on weekdays, or 11 am to 8 pm EST on weekends. 

You can also take some steps yourself to minimize the risk of payment-card fraud. (There's not much risk of identity theft if all that was stolen was credit-card data.) Check your card and bank balances every couple of days for the next few weeks, preferably via telephone. Also, each of the three major credit-reporting agencies — Experian, TransUnion and Equifax — must give all U.S. residents one free credit report per year if asked.

You can also place a free credit alert on your file via one of these agencies, which will notify the other two. You will be notified if anyone tries to run a credit check on you or tries to open an account in your name. Free credit alerts expire after 90 days, but can be renewed indefinitely.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, onFacebook and on Google+.

  • ahnilated
    If you don't use a credit card and use cash the whole problem goes away. You can thank credit card companies for them pushing people to use them instead of cash for this whole issue. Now that doesn't mean that people are not partially to blame for this, they could have been using cash in the first place imho.
    Reply
  • Ulf Mattsson
    Staples is just one more “infected with a type of malware that was stealing customers' payment information, including credit- and debit-card numbers, cardholder names, expiration dates and magnetic-strip card verification codes”

    My main concern is the successful attack at JP Morgan Chase. The largest US bank lost personal information of 76 million households and it took several months to detect.

    I’m also concerned that the U.S. power grid could be shut down.

    Unfortunately, current security approaches can't tell you what normal looks like in your own systems and the situation is getting worse according to Verizon. Verizon is reporting that this a growing issue. Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon.

    Attackers will always figure out how to get around defenses, so you need to lock down the data that they want to steal.

    So we need to protect our sensitive data itself with modern data centric security technology. As consumers, we must demand better protection from the companies we do business with.

    Ulf Mattsson, CTO Protegrity
    Reply
  • Christopher1
    So we need to protect our sensitive data itself with modern data centric security technology. As consumers, we must demand better protection from the companies we do business with.
    They are already doing that. The problem is that if outside businesses can get to the information, OTHER malefactors can as well.
    Reply
  • klarkmdb
    "That was Easy"
    Reply
  • klarkmdb
    "That was Easy"
    Reply
  • ElGato9
    What to do now? Umm... Sue Staples apparently: http://www.abingtonlaw.com/Staples-Credit-Card-Data-Breach-class-action-lawsuit.html
    Reply