Staples Inc said computer criminals stole the personal information from 1.16 million debit and credit cards back during back to school shopping season. Stores affected were from Massachusetts to California.
The company, based in Framingham, Massachusetts said its payment machines had been infected by malicious software at more than 113 stores that had compromised the data from customers between August 10 and September 16.
At two of the Staples stores, the hack began during July.
Staples did not identify who the attackers were, but did say the malware was in its system of point-of-sale, which included their cash registers and some terminals that handle debt and credit card transactions.
Staples said it believed that the criminals might have gained access to the names of customers, their card numbers, dates of expiration and the verification code on the card.
The theft of information at Staples is the most recent in a number of high-profile hacks on big retail chains in the U.S. during the past year.
The largest was Home Depot, which this past spring affected over 56 million credit or debit card accounts. Last year, during the holiday shopping season, Target was hit with an attack, in which hackers took information from more than 40 million payments cards.
The hit list includes Neiman Marcus the luxury retailer, P.F. Chang’s the restaurant chain and the thrift stores Goodwill.
Staples acknowledged the possible breach back in October, but said that it was first detected during September. At the time, the retailer eradicated the malicious malware.
A spokesperson would not say the payment systems had been infected or which external data security firm was used to carry out the investigation.
Investigators found that there was not malicious software in four Manhattan stores that had reported fraudulent charges on cards.
Staples offered its customers free credit reporting as well as identity theft protection.
Staples said additional information regarding the theft, including dates regarding access and how to receive free credit monitoring were available through its official website.