Staples Inc. says nearly 1.2 million customer payment cards may have been exposed during a security breach this year.
The office supply retailer announced in October that it was looking into a potential credit card breach, adding to a long list of retailers recently hit by cyberattacks.
Staples said Friday that an investigation shows that the criminals used malware that may have allowed access to information for transactions at 115 of its U.S. stores, which total more than 1,400. That includes cardholder names, payment card numbers, expiration dates and card verification codes.
The Framingham, Mass.-based company is offering free identity protection services — including credit monitoring, identity theft insurance and a free credit report — to customers who might be at risk.
The security breach affected different stores at different times from July to September.
Staples said that it has also received reports of fraudulent card use tied to four of its New York stores from April to September. Although it found no evidence of malware at those stores, it is also offering the protection services to customers there as well.
A number of retailers have suffered security breaches.
During last year's holiday shopping season, Target Corp. disclosed that it was hit with an attack that exposed details of as many as 40 million credit and debit card accounts. Home Depot announced in September that a data breach affected 56 million debit and credit cards, and later said hackers also stole 53 million email addresses.