Office supply chain store giant Staples Inc. said about 1.16 customer payment cards may have had personal information stolen in a data breach which has been under investigation since October.
The Framingham-based company reported on Friday that malware had been deployed at some point-of-sale systems at 115 of its stores across the US.
Staples, which has over 1,400 stores nationwide, said the data breach affected retail outlets in 35 states.
It claims it took immediate action to eradicate the malware as soon as it was detected in mid-September.
According to its investigation so far, the company believes the malware may have allowed access to some transaction data at several stores, including card verification codes, expiration dates, payment card numbers, and cardholder names.
In 113 of the stores, data breaches are through to have occurred from August 10th to September 16th. At two stores, successful hacking may have started on July 20th.
US payment cards are the least secure among the advanced economies.
Staples says it is offering free credit monitoring, credit reports, and identity theft insurance to customers who used their payment cards at the affected stores during the relevant dates.
The investigation also revealed that payment cards in four stores in Manhattan, New York, may have been breached from April through September. However, Staples added that its investigators have so far uncovered no evidence of malware or suspicious activity at those stores.
In an official statement, Staples wrote:
“Staples is committed to protecting customer data and regrets any inconvenience caused by this incident. Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools.”
Staples shares slipped by about 0.5% on Friday. However, the company’s stock has climbed over 40% since October when it first announced the news of the breach.
The United States, which has by far the highest percentage of cardholders using obsolete payment systems (using the magnetic band rather than a microchip), also has proportionally the highest incidence globally of card data breaches.
The number of data breaches reached record levels in the US in 2014. From January to September 2014, there were 568 data breaches involving over 75 million records.
Identity theft is a growing problem in virtually every country.