alexlukin - Fotolia
Office-supply chain Staples Inc. Wednesday provided new details to the company's investors on its ongoing data breach investigation, while a report from earlier this week linked the incident to previous breaches at arts and crafts retailer Michaels Stores Inc.
In a 10-Q filing with the U.S. Securities and Exchange Commission, Framingham, Mass.-based Staples confirmed that the breach, spotted in late October, is still being investigated, but that the company is confident that the malware used by attackers to target the organization's point-of-sale systems has been eliminated.
It is still unclear how many retail locations may have been affected by the Staples security breach. A previous report from veteran security blogger Brian Krebs narrowed the scope of the incident to stores in New York, Pennsylvania and New Jersey.
Staples also failed to provide investors with any hint regarding whether the data breach may be as costly as those that struck other retailers recently. For instance, experts have estimated that the cost of the Target breach may reach $1 billion total, with the company noting in a financial filing that it is "unable to reasonably estimate the amount of any losses or the amount of expenses we will incur in addressing this incident." Still, Staples seemed to express optimism that the associated costs wouldn't be significant.
"We maintain network-security insurance coverage, which we expect would help mitigate any material financial impact," said Staples in its 10-Q filing.
A Staples spokesperson had yet to reply to SearchSecurity's inquires as of Thursday morning.
Beyond the details provided in the Staples filing, a report by Krebs earlier this week indicated that connections may exists between the Staples breach and the two separate, lengthy intrusions that struck Michaels.
In the report, Krebs said that sources close to the ongoing investigation told him that the malware used to target Staples' systems communicated via the same command-and-control networks as those used in the Michaels intrusions.
The Michaels incident had resulted in the theft of more than three million payment cards.
The Backoff malware has been one of the most pervasive strands of point-of-sale malware in recent times and the subject of multiple U.S. government advisories. According to recent statistics, Backoff infections are only growing.