December 19, 2014

Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result.

staplesKrebsOnSecurity first reported the suspected breach on Oct. 20, 2014, after hearing from multiple banks that had identified a pattern of credit and debit card fraud suggesting that several Staples office supply locations in the Northeastern United States were dealing with a data breach. At the time, Staples would say only that it was investigating “a potential issue” and had contacted law enforcement.

In a statement issued today, Staples released a list of stores (PDF) hit with the card-stealing malware, and the stores are not limited to the Northeastern United States.

“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” Staples disclosed. “At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014.”

However, the company did say that during the investigation Staples also received reports of fraudulent payment card use related to four stores in Manhattan, New York at various times from April through September 2014.

Aviv Raff, chief technology officer at Seculert, said the per-store minimum time to detect and respond to the breach was an average of 40 days.

“Once again, much like previous breaches, the statistics of the Staples’ breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible,” Raff said.

Source: Seculert

Source: Seculert

It appears that the attackers responsible for the Staples break-in are not the same group thought to have hit Target and Home Depot. In November, I posted a story that cited sources close to the Staples investigation saying the breach at Staples impacted roughly 100 stores and was powered by some of the same criminal infrastructure seen in the intrusion disclosed earlier this year at Michaels craft stores.

33 thoughts on “Staples: 6-Month Breach, 1.16 Million Cards

  1. LL Herb J

    Sadly, but perhaps not surprisingly, the Staples-provided link to the list of affected stores (on the page you linked to) is broken.

    1. Sarah

      Link not ‘broken’, just have to read what’s there to see where to click a further link. Gives states/stores, start and end dates of problem period.

    2. JoeF

      The link doesn’t seem to work with Mozilla. I copy-pasted it into IE, and there it worked…

  2. Dr. Zackary Smith

    Getting cyber-breach fatigue with all the ongoing news stories taken place

  3. Anthony Hadley

    Fortunately there hasn’t been any allegations of any harm and card holders can take advantage of Experian’s tremendous credit monitoring service…for free!

    1. Jonathan E. Jaffe

      Anthony Hadley – the credit monitoring may be at no-charge to the affected consumer, but those costs are, or will be, included in the prices. That means consumers have already paid for it or will.

      We need to prevent consumer credentials held at any merchant (physically present, electronically present, even NON-present) from having value to crooks so even if those credentials are stolen, there is no reward for the crooks. There is at least one way.

      Jonathan @NC3mobi

      1. Anthony Hadley

        Always enjoy the “customers are paying for cost of compromise in the prices of product” argument. Do you think the prices will go down if they figure out how to secure transactions? Here’s a hint….NO.

        1. Infosec Pro

          Thanks for the lulz Anthony. Who else do you think pays? Does it come out of the executive bonus pool, or the shareholder dividend checks? Or does the money to pay for the breach costs just mysteriously appear out of thin air? I always enjoy such ignorant useless comments as yours…

          1. AGoldenLife

            Hold on a sec you two, stop with the bashing please. Can’t we be civilized? You both make valid points, and they both are moot anyway. While more than likely the cost of items will go up because the company will want to make up the loss, it will likely be minimal and not immediate. It is also true the price isn’t going to go down either just because they were able prevent it. Ultimately all costs get pushed to consumers, as that is a company’s source of revenue. So even if they attempt to implement a more secure database, or transaction encryption or whatever all those costs will be passed along in the products and services we buy. So points are really moot, as it misses what we should be focused on and that is preventing these crimes, and not allowing thieves to profit on this kind of behavior. While I don’t like all the breaches we have seen in the past 2 years the pain will inevitably drive change. Hopefully for the better.

            1. Rick M.

              So let’s say Staples raises their prices but Office Max does not; who will get more business??

            2. Infosec Pro

              Sorry, didn’t mean to be so harsh. Just a little tired of folks denigrating the cost issue.

              You’re right about the bottom line. Big part of the problem is that until there’s a breach the only impact to the bottom line is the cost of trying to prevent something that seems uncertain. Statistically it’s getting to the point that it is certain, just a question of when, but most people are in denial that it would ever happen to them. And when it does happen there is a habit of blaming the victim. None of that is constructive towards preventing future breaches. Nor is ignoring the cost when they do happen.

            3. Thomas Reardon

              Aviv Raff points out, quoted by Brian, “much like previous breaches, the statistics of the Staples’ breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible.” When organizations assume they are already breached, they will invest more in detection and remediation. Prevention has long been a lost cause.

  4. stephen

    Brian, for each of these large chain store breaches, wouldn’t it be appropriate to also report the name of the Point-Of-Sale equipment vendor and their role, if known? Your first report on Staples said the malware was on the “cash registers”. Don’t the POS equipment/software vendors carry a significant responsibility for these breaches, as well as the chain?

    1. BrianKrebs Post author

      If I’d had that information, it would have certainly been in the story. It’s not enough, even, to visit a Staples and see for yourself, if you don’t know which stores are impacted. You certainly would be able to do that now, but probably only Staples could say that, or someone who worked in IT there.

    2. Jonathan

      Good call on the POS/Hardware vendor.
      Also any details at all on the Malware would be helpful as well.

      1. Infosec Pro

        Jonathan, if you are in a position with a need to know, that information about the malware is available. If not, what benefit would there be in providing it? Might help sate your curiosity, might also help other miscreants learn from it. Not a compelling trade off.

  5. John R.

    When these POS breaches take place, is the three-digit verification code on the back of the card usually included in the data stolen? I find that these days I’m almost always asked for this code for card-not-present transactions.

  6. Andrew M.

    Just what I wanted for Christmas- more free credit monitoring!

  7. PhantomTramp

    That was easy!

    (Sorry, couldn’t help it).

    The Tramp

  8. Anthony

    Its sad to say that I reported their computers on the sales floor were able to compromise the network by several very simple methods. I told him that I could see all of the I believe about 1200 servers at the time. Corp told the local store manager that I didnt know what I was talking about and full of B.S.

    Second visit to the store I showed the manager from the sales floor which computer was his that he did payroll on. I created a file on his desktop in the back of the office from the sales floor then deleted it right in front of the manager with his permission!!! That’s security at its finest.

    1. Anthony

      PS : I called the Corp CIO (I believe it was Tom Conophy) and spoke to his secretary and left a voicemail for him. Never received a reply to from him. I could care less any more. It’s pathetic. This is getting to be the norm anymore.

      1. Sir Shartsalot

        “I could care less” is a null-logic statement.

  9. anshuman

    Do we know which or how many controls of PCI are in non-compliance at Staples? What exactly got compromised? Perimeter security devices? Do they have SIEM and security analytics platforms?

    Just curious, how many days it took to detect for Home depot, Target, JPMC?

    Will PCI QSA s to be blamed or PCI itself to be revisited and revised, looking into series of hacks alone in 2014?

    All of them in retail and consumer vertical that compromises are observed barring JPMC.

    1. Greg

      I very much doubt that we will ever know with any certainty. Details of this sort generally do not (except for what got compromised, in the event of Pastebin dumps, etc. by the attackers) and definitely should not, come out. Further, whatever information might appear will be suspect.

      Consider that accurate information to that level of detail, in the case of Security Incident and Event Management (SIEM) and analytics capabilities invites further compromise, or evasion of detection. Which means harm to yet more people.

      If the information *were* accurate for the time of the breach, but does not reflect the current state, it would be useful as a single ‘do not do this’ data point. Not terribly useful.

      But really, how would you ever judge the accuracy of the information? This isn’t going to involve a criminal trial. There won’t be publicly-available court records.

      Large news organizations, such as Bloomberg, might have sources who are ‘familiar with the matter’, but they don’t report that level of detail. A contracted security services provider would be capable of going into that level of detail, but would likely be revealed as the leaker. The blow to their reputation, for such an obvious professional ethics violation, might not be survivable.

      As for the validity of PCI compliance, not much really needs to be said. For better or for worse, compliance and security continue to be very different things. Mechanisms such as PCI have inherent problems. Consider the long history of problems with vulnerability scanners.

  10. Global Learning

    We recently changed office supply companies and am breathing a sigh of relief. We used to go to the local Staples store to get what we needed but decided it would be easier to order online. As an office supply store, you would think they had more safeguards in place.

  11. Don Reilly

    My business card was compromised and the most likely candidate was Staples, however, I haven’t used any of the stores on the list. Either the list is incomplete or I got hit by an airline, hotel, rental car, or restaurant breach that hasn’t made the news.

    As a hotel consultant I am interested in which POS and credit card processor is involved. On the other hand, I understand the Target breach was accomplished through the system of an HVAC contractor so the POS and credit card processor may not be relevant.

Comments are closed.