Staples finally confirmed Friday it suffered a months-long security breach earlier this year, which could have compromised more than a million consumer credit and debit cards.
Security researcher Brian Krebs first covered the intrusion on his blog in October.
Staples’ recent announcement though says between July and September, 115 different stores discovered malware on their systems. Before it was purged, it’s thought to have extracted some 1.16 million credit card numbers.
The company is providing the now-standard cautions in cases of credit card theft: watch your statements carefully and inform your bank if you see evidence of fraud.
Staples is also extending fraud monitoring and identity theft insurance to anyone who shopped with a card at the compromised stores.
All told, it’s not as bad as it could have been. Staples didn’t exactly dodge the bullet, but compared to earlier credit breaches, it’s doing better than some retailers. (Video via KNXV)
There are plenty to choose from. The Target hack at the end of 2012 compromised some 40 million cards, and the Home Depot hack in September leaked 56 million numbers. (Video via NBC)
It’s probably safe to say credit breaches are no longer a surprising new cybersecurity threat. So why is it taking so long for businesses to react?
A writer at CNN points out earlier breaches were perfect high-profile warnings, but Staples appears to have taken action only after the fact.
“It's unclear why Staples hadn't installed these protections sooner, given that the Target hack in late 2013 was a wake-up call for the retail industry.”
“At this late date, to be letting 1.16 million cardholders know the extent of this breach, it’s concerning. Hopefully there’s a new standard set for businesses that have been hacked,” said CNBC’s John Fortt.
For what it’s worth, Staples has published a full list of those stores affected as part of its announcement.