Staples investigating possible credit card data breach

Staples is investigating a possible breach of payment card data and has contacted law enforcement about the matter, making it the latest US retailer to become a possible victim of a cyberattack. Staples shares fell in early morning trading on the news. 

Mike Blake/Reuters/File
A Staples store is shown in Encinitas, Calif. Staples is investigating a possible data breach, the retailer said Tuesday, Oct. 21, 2014.

Staples Inc is investigating a possible breach of payment card data and has contacted law enforcement about the matter, making it the latest U.S. retailer to become a possible victim of a cyberattack.

"Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement," company spokesman Mark Cautela said in a statement late Monday.

The office-supply retailer disclosed the investigation after security reporter Brian Krebs reported on his blog that several banks have identified a pattern of payment card fraud suggesting that several Staples stores in northeastern United States had succumbed to a data breach.

"We take the protection of customer information very seriously, and are working to resolve the situation," Cautela said.

"If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."

Staples did not provide additional details of the data breach.

The office supply chain is just the latest victim in a string of retail data breaches. Home Depot suffered one of the largest, as the Christian Science Monitor reported last month:

The home improvement retailer is the latest high profile target to fall victim to a data breach. Last month, United Parcel Service (UPS) and Dairy Queen confirmed that their customer information was compromised. Last year, Target had data from 40 million payment cards and personal information on 70 million customers stolen. Neiman Marcus, P.F. Chang’s China Bistro, Costco Wholesale, and Kroger Co. have also suffered recent cyberattacks.

To accept credit cards, companies must comply with Payment Card Industry data standards. Without meeting these standards, a company cannot accept credit or debit cards. But it can still be easy to break into PCI-compliant systems, says Stephen Cobb, senior security researcher at ESET.

“It is possible to be PCI compliant and still be hacked," Mr. Cobb notes, adding that the series of attacks are because businesses don't go beyond minimum requirements. “There is a lot of discussion about updating the standard, and a lot of people in security are saying ‘having a standard in compliance isn't being secured.'"

Currently, it is up to each individual business to decide if they want to add other security measures to prevent cyberattacks. After Target was attacked, the company accelerated a chip-and-pin program on its Target credit cards to better protect credit card information. But some experts say businesses haven't gone far enough to protect themselves from breaches.

A spokesman for Home Depot said the retailer could not release further information on its own data protection procedures

“The problem with security is that it is like insurance. It is something you have to invest in up front, and the attack may or may not happen," said Phil Montgomery, executive vice president of Identiv, a security firm. "It’s hard for businesses to know that they should invest in security because of the uncertainty, but they are risking the confidence of consumers if breached, which is happening with regularity.”

With each breach, businesses are losing business and consumer confidence. Thus far, Target has spent $146 million in breach-related expenses, not including insurance payments.

“Cyber attacks probably aren’t going to go away anytime soon because security is going to require a big investment,” Cobb says. “Payment technology needs to be seriously upgraded. People have been saying this for many years, but now we are seeing the consequences for it not happening.”

The only thing customers can do right now is keep an eye on bank statements, according to the Federal Trade Commission. That includes comparing receipts to your bank statement, check any bills that you receive to make sure they were your purchases, and letting your credit card issuer know if there are any questionable charges. Customers can also keep an eye out for an email from their credit card company regarding possible fraud.

Earlier this month, Sears Holdings Corp said it was the victim of a cyberattack that likely resulted in the theft of some customer payment cards at its Kmart stores.

Restaurant chain Dairy Queen, owned by Berkshire Hathaway Inc, also said that it may have compromised payment card information of customers across 46 U.S. states. Other widespread breaches include those of Home Depot Inc, Michaels Stores Inc and Neiman Marcus.

(Reporting by Jim Finkle and Supriya Kurane; Editing by Edwina Gibbs and Gopakumar Warrier)

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Staples investigating possible credit card data breach
Read this article in
QR Code to Subscription page
Start your subscription today