Staples Investigating Breach Following String Of Payment System Lapses

Staples may be the latest in a long line of retailers that have experienced a credit card breach in 2014, acknowledging on Tuesday that its security team is probing systems for a potential security lapse.

A spokesperson at the Framingham, Mass.-based company confirmed to CRN that its security team was working with law enforcement as part of an ongoing investigation.

"Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement," said company spokesperson Mark Cautela in a statement emailed to CRN. "We take the protection of customer information very seriously and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis."

[Related: Staples Still Silent On Severity Of Corporate System Breach]

Sponsored post

A Staples spokesperson acknowledged the ongoing breach investigation late Monday to Brian Krebs, an investigative journalist who was first to report that some banks were tracing fraudulent transactions to credit card account holders who shopped at Staples. The retailer has about 1,800 retail locations in the U.S. The scope of the breach hasn't been determined, but the investigation is focusing on stores in Pennsylvania and throughout the Northeast.

In a separate security incident reported by CRN last year, Staples was working with Symantec to contain a breach of its corporate systems. The retailer locked down its corporate systems when it detected a worm spreading on its share drives and was attempting to contain the infection from spreading to other systems. The infection was a common threat called Changeup and was used in campaigns waged by financially motivated attackers. The worm spreads through removable and mapped drives and the malware author continually changes it, making it difficult for antivirus and some network security appliances to prevent it from infecting systems.

In March, Bloomberg reported that Staples planned to close 225 stores in the U.S. as part of cost-cutting measures as it meets stiff competition from and rivals Office Depot and OfficeMax, which merged last year.

Security experts at solution providers say the long line of data breaches will likely continue until retailers take further measures to lock down payment terminals and monitor them for the custom malware. Following massive breaches at Target and Home Depot, the retailers said they were deploying modern payment terminals that support chip-based credit cards to reduce fraud. Terminals need to be restricted, locked down and monitored for remote attacks and physical tampering, according to the Payment Card Industry Security Standards Council. In addition to a rise in memory-scraping malware, attackers probe remote management software for weaknesses and is believed by breach investigators to be a common source of many credit card lapses.

Attacks are becoming increasingly sophisticated with attack campaigns supported by a criminal groups that run a variety of cybercrime business operations, said Tom Richer, chief sales officer at New York-based managed service provider Computer Resources of America. Clients need to use established security best practices and be continually monitoring the security systems they deploy, Richer said.

"There has to be a wholistic strategy in place and not wait for something to happen," Richer said.

Richer said managed services clients across banking, retail and nonprofit verticals are very proactive about identifying threats and monitoring for advisories that impact their space. When a security incident takes place, its important for organizations to understand what happened and prevent the issue that enabled the attacker to gain access. "If there is a major incident you see the resources get focused right away," he said.