Technology journalist Brian Krebs reported that a pattern of credit and debit card fraud is being linked to Staples.
Technology journalist Brian Krebs reported that a pattern of credit and debit card fraud is being linked to Staples.

Office supplies retailer Staples is “in the process of investigating a potential issue involving credit card data,” according to a statement emailed to SCMagazine.com on Tuesday by Mark Cautela, senior public relations manager with Staples.

The company has contacted law enforcement.

“We take the protection of customer information very seriously, and are working to resolve the situation,” the statement indicates. “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”

Citing more than a half-dozen sources at East Coast banks, technology journalist Brian Krebs reported on Thursday that a pattern of credit and debit card fraud is being linked to Staples. 

According to Krebs, the cards involved in the fraudulent transactions were previously used at Staples locations in the Northeast, including seven stores in Pennsylvania, at least three in New York City and one in New Jersey.

The fraudulent transactions were made at businesses including supermarkets and other big retailers, Krebs wrote.

“The regional aspects of this breach may indicate that there was more of a physical attack element involved in this breach compared to other recent high profile breaches,” Craig Young, security researcher with Tripwire, said in a statement emailed to SCMagazine.com on Tuesday. “It is possible that attackers found a way to compromise stores in person via WiFi or perhaps exposed USB or Ethernet ports.”

It could be that point-of-sale (POS) – cash registers, checkouts or refund stations – malware was pushed down to certain stores during a POS patch, Mark Bower, VP of product management for Voltage Security, suggested in a statement emailed to SCMagazine.com on Tuesday.

“The breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible,” Aviv Raff, CTO of Seculert, wrote in a statement emailed to SCMagazine.com on Tuesday.