Staples POS Breach Affected 1.16 Million Payment Cards

Media Division | December 20, 2014

Staples on Friday revealed that hackers may have compromised millions of credit cards after deploying malware to POS systems at 115 of its more than 1,400 retail chains in the United States in August and September.

The retailer informed that according to the investigation, the malware may have enabled criminals to access “some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes.”

Staples further said that the malware may have enabled access to this data from purchases made from August 10 to September 16, 2014 at 113 stores. And the malware may have enabled access to data from purchases made from July 20 to September 16, 2014 at two stores. The company believes that approximately 1.16 million debit/credit cards may have been compromised due to these incidents.

The hackers may have accessed important information, such as cardholder names and their card numbers, expiration dates and verification codes.

“Typically, customers are not responsible for any fraudulent charges on their credit cards that are reported in a timely fashion. Staples customers who shopped at the affected stores during the relevant time periods should review their account statements and notify their card issuers of any suspicious activity,” the company stated.

Staples itself is offering free identity protection services, credit reports and credit monitoring to consumers who used a payment card at the affected stores during the breach period. The company has also created an organized list of stores that were affected by the breach, as well as the dates of the breach, which is available on this link. Staples also claims that it has enhanced its security implementations and is working closely with law enforcement and payment card companies on the matter.

Retailers continue to suffer the woes of security breaches. Target Corp. was affected by a massive breach last year that exposed details of 40 million credit and debit card accounts. Home Depot was hit by a breach that affected 56 million credit and debit cards while hackers also managed to breach 53 million email addresses. And just recently, Bebe revealed that it became a victim of data breach that aimed to expose debit and credit card data.

One of the noticeable trend in most of the retail breaches this year is that POS malware is involved. Cyber criminals have been using malware capabilities like RAM scrapers, botnets and key loggers to breach retail payment systems.

How can retailers protect themselves?

POS threats have been purported to grow further in the upcoming year, so retailers need to protect the payment card data of their customers and POS terminals with a proactive mindset. That will involve taking the following measures:

Limit remote access: Retailers should only allow certain IP addresses to their POS machines, so that employees on the terminal don’t accidently expose the system to cyber criminals. Another thing that can be done is to require physical presence of an authorized individual if he/she wants to login to the system. This would prevent remote access attacks to gain access to the retailer’s network and breach payment card information.

Utilize advanced solutions: Advanced solutions aren’t limited to installing the latest antivirus software. Retailers now have the option to utilize intelligence feeds provided by Massive. These feeds notify retailers about infected POS systems, and they are also capable of intercepting what payment card information is exposed by the hackers.

Consider p2pe: Point to point encryption will encrypt card data during the phase when it swiped to when it reaches the payment processor. This will make sure credit and debit card numbers remain safe from eavesdropping and data breaches.

More hackers are expected to attempt POS attacks in 2015.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.