Back in October, it was announced that banks were investigating Staples based on fraudulent card activity.
Staples’ data security experts detected that criminals deployed malware to some point-of-sale systems at 115 of its more than 1,400 U.S. retail stores. Upon detection, Staples immediately took action to eradicate the malware in mid-September and to further enhance its security. Staples also retained outside data security experts to investigate the incident and has worked closely with payment card companies and law enforcement on this matter.
Based on its investigation, Staples believes that malware may have allowed access to some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes. At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014. At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.
It appears that the attackers responsible for the Staples break-in are not the same group thought to have hit Target and Home Depot. Read more at Krebs.