Staples: Data breach hit Shrewsbury store, up to 1.16M payment cards

Courtesy of Staples Inc.

Write a Comment

By Emily Micucci

In an update on a data security breach that occurred late this summer, Framingham-based office supply retailer Staples Inc. announced Friday that up to 1.16 million payment cards may have been impacted, with some of the transactions occurring at the Shrewsbury store at 571 Boston Turnpike.

Staples said in a statement that data security experts detected that criminals deployed malware to some point-of-sale systems at 115 U.S. stores. Staples believes the malware may have allowed access to some transaction data at affected stores, which in Massachusetts also include locations in Seekonk, Plymouth and Salem.

Affected data includes cardholder names, payment card numbers, expiration dates and card verification codes on transactions that took place between Aug. 10 and Sept. 16, 2014 in the majority of the stores, Staples said. At two stores in Pennsylvania and New Jersey, the breach may have occurred from July 20 through Sept. 16.

During the investigation, Staples also received reports of fraudulent payment card use at four stores in Manhattan from April through September 2014, but no malware or suspicious activity related to the payment systems at those stores was found.

As a result of the data breach and fraudulent payment card use in Manhattan, Staples is offering free identity protection services to all potentially impacted customers. Services include credit monitoring, identity theft insurance and a free credit report to customers who used payment cards at any of the affected stores during the relevant time periods

Staples said all customers who shopped at the affected stores between those dates should review their account statements and notify card issuers of suspicious activity . Additional information about the incident can be found here.

Meanwhile, the National Association of Federal Credit Unions (NAFCU) issued a statement Friday calling for national standards on data security and breach notification for retailers, citing an increasing number of breaches in the last year, beginning with a data breach at Target stores, which reportedly affected 40 million customers. The NAFCU said there have been 744 breaches in 2014, a jump of about 25 percent over 2013.

“In spite of a year of retail data breaches since the massive Target data breach, American consumers’ sensitive personal and financial information is vulnerable as ever without greater data security or breach notification standards for retailers,” NAFCU president Dan Berger said in a statement. “Congress needs to put an end to cybercriminals’ raid on consumers’ financial and personal information and make retailers subject to the same national data security standards that apply to financial institutions…”