Slashdot Mirror

← Back to Stories (view on slashdot.org)

Staples: Breach May Have Affected 1.16 Million Customers' Cards

Posted by timothy on from the your-name-here dept.

mpicpp writes with this excerpt from Fortune: Staples said Friday afternoon that nearly 1.16 million customer payment cards may have been affected in a data breach under investigation since October. The office-supply retailer said two months ago that it was working with law enforcement officials to look into a possible hacking of its customers' credit card data. Staples said in October that it had learned of a potential data theft at several of its U.S. stores after multiple banks noticed a pattern of payment card fraud suggesting the company computer systems had been breached. Now, Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers' names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16, the company said.

3 of 97 comments (clear)

  1. Re:I think it's about time... by plover · · Score: 4, Informative

    I think it's about time we implemented some sort of single use credit card system.

    That's how Chip and PIN works. Your account number is still fixed, but your authorization to spend from it (your PIN) is encrypted by the chip, and is valid only for a single transaction. There are still kinks with non-electronic transactions, but those can be solved.

    Look for it to be all over the US by October of next year.

    --
    John
  2. store list by CrAlt · · Score: 4, Informative

    Here is the list of stores

    http://staples.newshq.business...

    --
    I have to return some videotapes...
  3. Re:One number to breach them all by plover · · Score: 4, Informative

    I can only think the reason it hasn't been fixed is because fraud makes the banks money and they love seeing stories like this.

    Well, you would be very wrong. Fraud costs both the retailers and the banks money. The real problem is that issuing new chip cards would cost the banks more than the fraud. Not only are the cards about a dollar more expensive each, and they still have to be re-issued about every three years, but the systems that inject encrypted keys into them, and store the keys on their databases, are very expensive. Banks are notoriously cheap when it comes to spending money that won't make them money.

    The other reason EMV hasn't rolled out across the U.S. is that millions of retailers have about 12 million old credit card terminals spread across the country, and most are owned by cheap store owners who don't like being told they have to spend money to replace them. Most retailers have been dragging their feet, not wanting to make an expensive change. But the new members of the breach-of-the-month club are mad about the insecure systems they've been forced to use, and are now championing the rapid switch to EMV instead of fighting it. The smaller retailers are also impacted now, and are no longer resisting.

    The irony is that EMV readers for the small retailers are far, far cheaper than the old terminals, and the rates for using new companies like Square, Intuit, and PayPal are much lower than the typical old bank rates for the old credit card readers.

    --
    John