Prompted by reports of bank fraud, office supply chain Staples confirmed that it is investigating a potential data breach, but provided few details.
“Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement,” said Mark Cautela, senior public relations manager at Staples, in an email to Advisen. “We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis. We have no additional information to share at this time.”
Cyber risk researcher and journalist Brian Krebs first reported news from banks that Staples may have been compromised on his blog, KrebsonSecurity.com.
If a data breach is discovered, the Framingham, Mass.-based chain would join other large retailers such as Target, Home Depot, Michael’s in becoming the target of hackers. In its third quarter 10-Q filing with the Securities and Exchange Commission, the company acknowledged the real threat any retailer faces from computer hackers and the possible effects.
“Although we have taken steps designed to safeguard such information, there can be no assurance that such information will be protected against unauthorized access, use or disclosure,” the retailer stated. “Computer hackers may penetrate our or our vendors’ network security and, if successful, misappropriate such information. A Staples associate, contractor or other third-party with whom we do business may misuse confidential or personal information to which they have access; attempt to circumvent our security measures; or inadvertently cause a breach involving such information. Additionally, methods to obtain unauthorized access to confidential information change frequently and may be difficult to detect, which can impact our ability to respond appropriately. We could be subject to liability for failure to comply with privacy and information security laws, for failing to protect personal information, for failing to respond appropriately, or for misusing personal information, such as use of such information for an unauthorized marketing purpose. Loss, unauthorized access to, or misuse of confidential or personal information could disrupt our operations, damage our reputation, and expose us to claims from customers, financial institutions, regulators, payment card associations, employees and other persons, any of which could have an adverse effect on our business, financial condition and results of operations.”