Staples Inc is investigating a possible breach of payment card data and has contacted law enforcement about the matter, making it the latest U.S. retailer to become a possible victim of a cyberattack.
"Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement," company spokesman Mark Cautela said in a statement late Monday.
The office-supply retailer disclosed the investigation after security reporter Brian Krebs reported on his blog Krebsonsecurity.com that several banks have identified a pattern of payment card fraud suggesting that several Staples stores in northeastern United States had succumbed to a data breach.
"We take the protection of customer information very seriously, and are working to resolve the situation," Cautela said.
"If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."
Staples did not provide additional details of the data breach.
The office supply chain is just the latest victim in a string of retail data breaches. Home Depot suffered one of the largest, as the Christian Science Monitor reported last month:
The home improvement retailer is the latest high profile target to fall victim to a data breach. Last month, United Parcel Service (UPS) and Dairy Queen confirmed that their customer information was compromised. Last year, Target had data from 40 million payment cards and personal information on 70 million customers stolen. Neiman Marcus, P.F. Chang’s China Bistro, Costco Wholesale, and Kroger Co. have also suffered recent cyberattacks.
To accept credit cards, companies must comply with Payment Card Industry data standards. Without meeting these standards, a company cannot accept credit or debit cards. But it can still be easy to break into PCI-compliant systems, says Stephen Cobb, senior security researcher at ESET.
“It is possible to be PCI compliant and still be hacked," Mr. Cobb notes, adding that the series of attacks are because businesses don't go beyond minimum requirements. “There is a lot of discussion about updating the standard, and a lot of people in security are saying ‘having a standard in compliance isn't being secured.'"
Currently, it is up to each individual business to decide if they want to add other security measures to prevent cyberattacks. After Target was attacked, the company accelerated a chip-and-pin program on its Target credit cards to better protect credit card information. But some experts say businesses haven't gone far enough to protect themselves from breaches.
A spokesman for Home Depot said the retailer could not release further information on its own data protection procedures
“The problem with security is that it is like insurance. It is something you have to invest in up front, and the attack may or may not happen," said Phil Montgomery, executive vice president of Identiv, a security firm. "It’s hard for businesses to know that they should invest in security because of the uncertainty, but they are risking the confidence of consumers if breached, which is happening with regularity.”
With each breach, businesses are losing business and consumer confidence. Thus far, Target has spent $146 million in breach-related expenses, not including insurance payments.
“Cyber attacks probably aren’t going to go away anytime soon because security is going to require a big investment,” Cobb says. “Payment technology needs to be seriously upgraded. People have been saying this for many years, but now we are seeing the consequences for it not happening.”
The only thing customers can do right now is keep an eye on bank statements, according to the Federal Trade Commission. That includes comparing receipts to your bank statement, check any bills that you receive to make sure they were your purchases, and letting your credit card issuer know if there are any questionable charges. Customers can also keep an eye out for an email from their credit card company regarding possible fraud.
Earlier this month, Sears Holdings Corp said it was the victim of a cyberattack that likely resulted in the theft of some customer payment cards at its Kmart stores.
Restaurant chain Dairy Queen, owned by Berkshire Hathaway Inc, also said that it may have compromised payment card information of customers across 46 U.S. states. Other widespread breaches include those of Home Depot Inc, Michaels Stores Inc and Neiman Marcus.
(Reporting by Jim Finkle and Supriya Kurane; Editing by Edwina Gibbs and Gopakumar Warrier)