Staples says malware that infected its registers in 115 stores had access to bank card numbers from 1.16 MILLION customers.
The US chain today confirmed that hundreds of thousands of Americans are at risk of fraud after spyware compromised tills between August 10 and September 16 of this year, and as far back as July 20 for two shops in particular.
Staples had given word of the attack in October, stating the breach was limited to a small number of its 1,400 outlets in the US.
Despite early reports that the breach was limited to locations on the East Coast, a list of stores [PDF] provided by the company reveals infections cropping up from Los Angeles to New York City.
As with other high-profile retail breaches, the attackers appear to have infected the point-of-sale (POS) terminals with malware that was able to read off credit and debit card data swiped through the machines – data that can be used by fraudsters to clone and use victims' cards.
The stationery biz said it will provide free credit-monitoring and identity-theft insurance for all affected customers.
"Typically, customers are not responsible for any fraudulent charges on their credit cards that are reported in a timely fashion," Staples said a statement.
"Staples customers who shopped at the affected stores during the relevant time periods should review their account statements and notify their card issuers of any suspicious activity."
The breach is relatively small: big box chain Target has had to shell out hundreds of millions of dollars after 40 million customer credit cards were compromised in a 2013 data heist, while Home Depot was hit for the leaking of 56 million payment cards. ®