alexlukin - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Staples breach update: Cyberinsurance may cover retailer's costs

A new report links the Staples security breach to an intrusion at craft retailer Michaels. Meanwhile, Staples confirmed it had purchased cyberinsurace to cover the still unknown cost of its breach.

Office-supply chain Staples Inc. Wednesday provided new details to the company's investors on its ongoing data breach investigation, while a report from earlier this week linked the incident to previous breaches at arts and crafts retailer Michaels Stores Inc.

In a 10-Q filing with the U.S. Securities and Exchange Commission, Framingham, Mass.-based Staples confirmed that the breach, spotted in late October, is still being investigated, but that the company is confident that the malware used by attackers to target the organization's point-of-sale systems has been eliminated.

It is still unclear how many retail locations may have been affected by the Staples security breach. A previous report from veteran security blogger Brian Krebs narrowed the scope of the incident to stores in New York, Pennsylvania and New Jersey.

Staples also failed to provide investors with any hint regarding whether the data breach may be as costly as those that struck other retailers recently. For instance, experts have estimated that the cost of the Target breach may reach $1 billion total, with the company noting in a financial filing that it is "unable to reasonably estimate the amount of any losses or the amount of expenses we will incur in addressing this incident." Still, Staples seemed to express optimism that the associated costs wouldn't be significant.

"We maintain network-security insurance coverage, which we expect would help mitigate any material financial impact," said Staples in its 10-Q filing.

Cyberinsurance has become an increasingly popular option with enterprises as of late, with recent statistics showing the industry has grown by nearly $400 million since 2007.

A Staples spokesperson had yet to reply to SearchSecurity's inquires as of Thursday morning.

Beyond the details provided in the Staples filing, a report by Krebs earlier this week indicated that connections may exists between the Staples breach and the two separate, lengthy intrusions that struck Michaels.

In the report, Krebs said that sources close to the ongoing investigation told him that the malware used to target Staples' systems communicated via the same command-and-control networks as those used in the Michaels intrusions.

The Michaels incident had resulted in the theft of more than three million payment cards.

Next Steps

The Backoff malware has been one of the most pervasive strands of point-of-sale malware in recent times and the subject of multiple U.S. government advisories. According to recent statistics, Backoff infections are only growing.

Dig Deeper on Data security breaches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.