Staples discloses data breach exposing customer info
by Ionut IlascuGiant office retail company Staples informed some of its customers that data related to their orders has been accessed without authorization.
Few details are available at the moment. The company has not disclosed the incident publicly and alerted affected customers individually over email.
'Non-sensitive data' accessed
It is important to note that Staples’ main business is selling office supplies and related products using retail channels and through business-to-business engagements.
The office retail giant sent out a brief notification letter signed by Staples Inc. CEO Alexander ‘Sandy’ Douglas providing an outline of the incident.
BleepingComputer learned that the event occurred earlier this month around September 2 and consisted of unauthorized access to a system belonging to Staples.
Security researcher Troy Hunt received the notification in a data breach report. It appears that “a limited amount” of order data for customers of Staples.com - suggesting that the Canadian website is not impacted - was accessed by an unauthorized party. This “may have included information about one of your orders,” the letter reads.
The retailer has yet to determine what exactly got accessed but it could contain what Staples classifies as "non-sensitive customer order data:" names, addresses, email addresses, phone numbers, last four credit card digits, details about the order (delivery, cost, product).
These details, though, can still serve malicious purposes in email or phone call scams, or to collect more information for a better prepared attack.
Douglas stresses in the notification that account credentials and full payment card data remained unaffected by the incident and that there is no evidence to point to unauthorized purchases on the customer’s behalf.
Recipients of the Staples data breach notification can learn more by calling Staples directly during business hours. They should choose option 3 to speak to a company representative.
BleepingComputer has reached out to Staples for a statement and is waiting for a reply. We also called the number included in the notification letter and the specified option is for gift cards and data breach information.
Staples managed to stay out of the news as far as security incidents are concerned since the compromise of point-of-sale systems in 2014 at 115 of its retail stores in the U.S.