Monday evening, investigative journalist Brian Krebs reported that multiple banking sources were seeing a pattern of credit and debit card fraud. The common thread between each case were purchases made at Staples Inc. stores in the Northeastern U.S.
There isn't a lot to go on if in fact the latest retailer to be breached is Framingham, Mass.-based Staples Inc.
What's known for sure comes from the sources that spoke on background to Krebs. They said the fraudulent transactions were traced to cards that made purchases at Staples stores in Pennsylvania, New York City, and New Jersey.
In a statement to Salted Hash, Mark Cautela, Senior Public Relations Manager for Staples Inc., said that the company is investigating a potential issue involving credit and debit card data, and that law enforcement has been contacted.
When asked for additional details, Cautela declined further comment.
"Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement. We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis." - Mark Cautela, Senior Public Relations Manager, Staples
Given the pattern in recent months, it's possible that Staples has fallen victim to Backoff, a malware family that targets POS systems, or a similar variant.
Backoff entered the public eye earlier this summer, after the U.S. Secret Service issued a warning to retailers. The attackers installed Backoff after locating poorly protected instances of remote management software, such as LogMeIn, or similar services from Microsoft, Apple, or Chrome.
At the time, some 600 businesses were victimized by the malicious code, but that number was expected to increase.
This story will be updated as the situation develops.
This story, "Staples Confirms Data Breach Investigation" was originally published by CSO.