Staples may be the latest target in string of credit card hacks

Staples, which has 1,800 stores nationwide, said it is looking into “a potential issue involving credit card data.”
Staples, which has 1,800 stores nationwide, said it is looking into “a potential issue involving credit card data.”Lynne Sladky/Associated Press/File 2011

With breaches of personal and financial data becoming a seemingly routine occurrence, another major retailer is looking into a possible hacking attack: Staples Inc.

The Framingham-based office-supply company disclosed Tuesday that it is investigating “a potential issue involving credit card data,” but did not release additional details.

On Monday, Brian Krebs, who writes a widely followed blog on cybercrime, reported that the attack on Staples initially appeared to be confined to several stores in Pennsylvania, New York, and New Jersey.

If the breach is confirmed, Staples would be the latest of many consumer brands that have fallen prey to hackers. Since retailer Target Corp. was hacked in late 2013, hundreds of millions of credit card records and personal records, such as names and phone numbers, have been stolen from sandwich shops, grocery stores, and financial institutions — affecting as many as 6 out of 10 Americans, according to Chester Wisniewski, a senior security analyst at the antivirus company Sophos.

“We’re not even a year out from Target and there’s been 15 or 20 major American brands breached,” said Wisniewski. “If you process cards, you definitely have a target on your back.”


Throughout 2014, consumers have been rocked by a steady drumbeat of large-scale hacking attacks. In September, Home Depot, the home-improvement supplier with 2,200 stores across the United States, said that some 56 million customers had their payment card data stolen over a five-month period.

That same month, sandwich chain Jimmy John’s said customers at 216 of its restaurants may have had their card information exposed.

In October, financial giant JPMorgan Chase & Co. said that contact information, such as phone numbers and e-mail addresses for 83 million account holders had been taken. However, the bank said thieves did not obtain even more sensitive data, such as Social Security numbers or log-in credentials of its customers.


News reports of the JPMorgan Chase attack suggested that nine other banks were also targeted. And on Oct. 10, Illinois-based retailer Kmart said an undetermined amount of credit and debit card information was stolen by hackers.

In Massachusetts, companies reported 1,821 instances of data theft in 2013, but many of those were banks reporting individual cardholders, according to Jayda Leder-Luis, a spokeswoman for the state’s Office of Consumer Affairs and Business Regulation.

Dennis Fisher, the Boston-based editor of the Threatpost news service published by computer security firm Kaspersky Lab, said electronic payment systems have multiple points that hackers can attack.

One is at the retailer, especially if it’s using an older system. Customer information also is often routed through intermediaries, such as payment processors, which have proved vulnerable to attack.

“The fundamental problem that underlies many of these retail breaches is that once a customer swipes her card at a point-of-sale terminal or enters it online, the data is out of her control,” said Fisher. “There are so many things that can go wrong in this system, and it only takes a small mistake for an attacker to get the opening he needs.”

Credit card companies have proposed solutions to reduce the impact of data theft. Retailers and banks are switching American consumers over to credit and debit cards with chips in them that generate unique codes to secure every transaction. These so-called EMV cards are already used widely in Europe and Japan.

By October 2015, some 70 percent of American credit cards and 40 percent of debit cards are expected to contain the new technology.


Tech companies have also designed payment technologies to reduce the value of stolen payment data.

Apple Pay, the application built into the iPhone 6 that makes payments by waving a phone near a card terminal, is designed to make secure payments based on the same principle as EMV.

Some 220,000 retailers have signed on to accept Apple Pay, including Staples’s 1,800 locations.

Still, controlling theft in the first place can be difficult, said Trey Ford, the global security strategist at Rapid7, a Boston-based cybersecurity firm.

“It will always be a game of cat-and-mouse,” he said. “It’s just the world we live in.”

Jack Newsham can be reached at jack.newsham@globe.com. Follow him on Twitter @TheNewsHam.