California got a hefty part of the Staples Inc. security breach revealed last week that may have compromised the personal information of 1.16 million customers.
KrebsOnSecurity first reported the suspected breach in October after hearing from banks about a pattern of credit and debit card fraud that implicated Staples. Staples acknowledged the problem and two months later put out a list (pdf) of the 115 affected stores.
Sixteen are in California. Those stores were infected with point-of-sale malware sometime between August 10 and September 16 that potentially gathered customer credit card numbers, verification codes, expiration dates and full cardholder names.
Krebs suggested that thieves were making counterfeit credit card copies using data stolen from malware-infected Staples cash registers. Customers were finding out they had a problem when they saw their bills, not when Staples notified them of a breach.
Those notifications (pdf) are going out now. Krebs reported in October that Staples would only acknowledge it was looking at a “potential issue” and that it had notified law enforcement. The 5-page notices do
Staples, with 1,400 stores nationwide, is the latest in big retailers to suffer security breaches. Target kept escalating its damage estimate from a 2013 breach, starting at 40 million compromised customers and peaking at around 110 million. Home Depot said in September that 56 million credit cards had been compromised at their stores earlier in the year.
The breaches are becoming such common occurrences that commenters on stories at tech sites are worrying about breach fatigue. But “Anthony” at KrebsOnSecurity had something else on his mind about a visit he made to Staples. He wrote on Saturday:
“Its sad to say that I reported their computers on the sales floor were able to compromise the network by several very simple methods. I told him that I could see all of the I believe about 1200 servers at the time. Corp told the local store manager that I didnt know what I was talking about and full of B.S.
“Second visit to the store I showed the manager from the sales floor which computer was his that he did payroll on. I created a file on his desktop in the back of the office from the sales floor then deleted it right in front of the manager with his permission!!! That’s security at its finest.”