Staples Confirms POS Malware Attack

Card Issuers Report Receiving Fraud Alerts
Staples Confirms POS Malware Attack

Staples has confirmed that its retail point-of-sale systems were compromised earlier this year by malware-wielding attackers.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

The home improvement retailer first acknowledged in October that it was investigating a suspected breach after reports surfaced that elevated levels of fraud had been traced to about a dozen of its stores in the Northeastern United States (see Staples Launches Breach Investigation).

Staples is now confirming that there was a malware-related breach, although it's offering scant additional information. "We are continuing to investigate a data security incident involving an intrusion into some of our retail point-of-sale and computer systems," Staples spokesman Mark Cautela tells Information Security Media Group. "We believe we have eradicated the malware used in the intrusion and have taken steps to further enhance the security of our network."

To date, however, Staples has declined to say how many of its more than 2,000 stores in 26 countries - including 1,800 across the United States and Canada - may have been affected by the breaches. "The company is working with law enforcement and is investigating whether any retail transaction data may have been compromised," Cautela says.

Fraud Reports

Two card issuers tell Information Security Media Group that they have received Compromised Account Management System - better known as CAMS - alerts from payment card brands tied to the Staples breach. Card brands use these alerts to directly warn card issuers of specific accounts that they believe to be compromised.

An executive at one leading issuer in the Northeast, who asked to remain anonymous, confirms receiving a related CAMS alert from MasterCard on Nov. 10., tied to breaches that date from July 2 until Sept. 14, but says the institution has yet to receive any related alerts from Visa.

Meanwhile, another executive at a leading West Coast card issuer, who also asked to remain unnamed, confirms receiving a CAMS alert from Visa, pertaining to only a handful of accounts. Based on that alert, the executive says, the Staples breach doesn't appear to be nationwide, although it may involve more than the approximately dozen stores - across New Jersey, New York City and Pennsylvania - that were first thought to have been affected.

The executive at the West Coast card issuer says the institution has seen little fraud as a result of the Staples breach, or the breach at retailer Kmart, which reported in October that its IT staff had detected and blocked an attack, made using a "new form" of malware, that had begun in September 2014. Like Staples, Kmart has yet to reveal how many payment cards may have been compromised by attackers.

How Many Stores Affected?

The Staples spokesman declined to address a Nov. 17 report from security blogger Brian Krebs, citing unnamed sources, that alleged systems at about 100 Staples stores had been breached, and that attackers used some of the same command-and-control infrastructure that was used to hack into the systems of another retailer, Michaels, as well as its subsidiary, Aaron Brothers stores.

Michaels confirmed earlier this year that a breach - traced to "criminals using highly sophisticated malware" - had resulted in 3 million payment cards being compromised via two different attacks (see Michaels Confirms Data Breach). One of those attacks compromised Michaels stores from May 2013 to January 2014, and resulted in the theft of 2.6 million cards, the company said in a statement issued earlier this year. The other attack targeted Aaron Brothers stores from June 2013 to February 2014, and resulted in about 400,000 cards being compromised.

(Executive Editor Tracy Kitten and News Writer Jeffrey Roman also contributed to this story.)


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network