Staples has said it is investigating a possible breach of payment card data.
Following other retailers including Target, Home Depot, Kmart and Dairy Queen, Staples said it has contacted law enforcement about the matter and is in the process of investigating a potential issue involving credit card data.
Company spokesman Mark Cautela said in a statement, published by Reuters, that it takes the protection of customer information very seriously, and is working to resolve the situation.
Cautela said: “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”
The story was initially discovered by security blogger Brian Krebs, who said that multiple banks in the Northeastern United States identified a pattern of credit and debit card fraud, suggesting that several branches of Staples were currently dealing with a data breach. According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.
Charles Sweeney, CEO of Bloxx, said: “Staples is possibly the next in a long list of US retailers to have fallen victim to a hack that would see its customer’s card details compromised. There appears to be a definite trend emerging, with hackers clearly viewing the retail industry as easy pickings.
“Cyber criminals constantly adapt their attack strategies. It is therefore very important that retailers ensure they are creating a dynamic and responsive security environment that can stand up to sustained and persistent attacks.”
Mark Bower, VP product management at Voltage Security, said that this could be another situation where point of sale (POS) malware has been pushed down to a few stores during a POS patch to add new features, or software upgrade cycle, resulting in compromise.
He said: “This seems to be a possible common thread among recent breaches, enabling attackers to propagate malware to many endpoints, though of course this is speculative based on limited data on this particular scenario.
“If malware gets into the POS and steals track or card data directly in memory, then nothing can be done in the POS to mitigate. Tokenization of card data directly in the POS, which is sometimes suggested as a defence, would not achieve anything and worse, possibly expose an open tokenization interface itself to the attacker which could lead to higher levels of compromise.
“The current crop of malware in the POS, like BlackPOS, steals track data as it arrives into memory instantly. Once grabbed, its game over as the data makes its way out to the malware controllers. Tokenization is only useful when combined with encryption in specially designed card reading equipment for secure end-to-end data capture to eliminate live data in vulnerable systems.
“It will be interesting to see how this breach unfolds. In all probability, I would hazard a guess it was quite avoidable through contemporary encryption meas
ures. Other large retailers who have suffered major breaches have already shifted gears to adopt such methods, based on years of success with their early-adopter peers who’ve not had a single incident since deployment.”