Office supply chain Staples Inc. has confirmed that it is investigating reports of a possible breach of payment card information at an undisclosed number of its U.S.-based locations.
Details of the possible Staples breach first surfaced yesterday on the site of veteran security journalist Brian Krebs, who said that Staples confirmed it is investigating the issue and has contacted law enforcement officials. Krebs said that unnamed sources at a half-dozen banks have linked fraudulent transactions at other businesses back to payment cards used at Staples stores in New York, Pennsylvania and New Jersey.
The card data theft seemingly was contained to Staples locations in the northeast U.S., Krebs added, though the company, based in Framingham, Mass., has more than 1,800 stores across the country.
"The fraudulent charges occurred at other (non-Staples) businesses, such as supermarkets and other big-box retailers," Krebs wrote on his site. "This suggests that the cash registers in at least some Staples locations may have fallen victim to card-stealing malware that lets thieves create counterfeit copies of cards that customers swipe at compromised payment terminals."
RAM-scraping malware that targets point-of-sale systems has been responsible for several high-profile retail data breaches in the past few years. The Backoff malware in particular has been linked by government agencies to possible breaches at more than 1,000 U.S. businesses.
Staples has yet to confirm the details of its suspected breach, including the methods utilized by the attackers and how long the breach went undetected, but information obtained by SearchSecurity indicates that the internal investigation into the breach had been underway as early as mid-September.
"We take the protection of customer information very seriously, and are working to resolve the situation," said company spokesperson Mark Cautela in a press statement. "If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."
Resident threat expert Nick Lewis explains how enterprises can fend off RAM-scraping malware like Backoff.
Sophos senior security advisor Chester Wisniewski details the most pressing point-of-sale security issues in this exclusive interview filmed at RSA Conference 2014.