Shoppers who made purchases last fall at two of Staples Inc.’s stores in Maine are being encouraged to check their credit and debit card accounts for suspicious activity.

The office-supply company recently revealed that its stores at 201 Mariner Way in Biddeford and 8 Gurnet Road in Brunswick were among 115 stores nationwide affected by a malicious data breach that has exposed an estimated 1.16 million payment cards to potential theft.

Staples, which has more than 1,400 stores nationwide, discovered the breach in mid-September and announced it publicly in October. The week before Christmas, the company revealed the results of its investigation, including the specific stores affected, and mailed letters to potentially affected customers encouraging them to review their financial statements.

The company’s investigation found that malware had been installed on the point-of-sale systems at 113 of its stores, including the two Maine stores, that allowed access to confidential payment card information from purchases made between Aug. 10, 2014, and Sept. 16, 2014. Potentially exposed information includes the payment card numbers, expiration dates and verification codes, according to the company.

Mark Cautela, a Staples spokesman, would not confirm how many affected customers were linked to the two Maine stores. He said the company wasn’t disclosing additional information.

Two other stores in New York had malware that allowed access to purchases made between July 20, 2014, and Sept. 16, 2014. A full list of affected stores and dates is available on Staples’ website.


Staples is offering free credit monitoring and identity protection services to customers who have been affected.

The Staples data breach is one of the latest high-profile breaches that have hit big retail companies such as Target, Home Depot and Neiman Marcus in the past year.

The fact that it took Staples a month to detect the breach suggests companies need to increase their detection capabilities, said Eugene Slobodzian, vice president of security at Winxnet, a Portland-based information-technology firm. While frontline security measures will always be of paramount importance, the ability to quickly detect a breach should be given just as much attention, Slobodzian said.

“The businesses are not spending enough effort on detection,” he said. “Most of that to date has been spent on the brick-and-mortar controls: the firewall, the secure wireless access points.”

The number and frequency of these data breaches are creating “fatigue” among consumers, Slobodzian said. “That’s just unfortunate, because we can do better,” he said.

Recent data suggests retailers are bouncing back quickly from the bad publicity created by a data breach. Just before Target’s breach in late December 2013, 50 percent of consumers said they would consider going there the next time they were shopping, according to surveys by YouGov, which tracks brand perception. That dropped to 35 percent after the breach was revealed, but has since increased to 42 percent.


Home Depot saw even less of an impact, with the percentage of consumers who said they would shop at the retailer dropping from 47 percent before the breach to 40 percent afterward. It’s now at 43 percent, according to YouGov.

This fatigue is dangerous if it causes consumers to be complacent about tracking their financial statements, Slobodzian said.

“Credit cards are the number one target for bad guys because they’re easy to monetize,” Slobodzian said.

President Obama, in a statement Monday afternoon at the Federal Trade Commission, called for tougher laws regarding how companies respond to data breaches. He’s pushing legislation, called the Personal Data Notification and Protection Act, that would require companies to inform customers within 30 days of a breach being detected. It also would outlaw the sale of customers’ identities overseas.

Slobodzian said it was too early to tell whether the federal legislation, if it becomes law, would have an impact on the number and frequency of these data breaches.

“In general, trying to do something is a good thing,” he said. “But how that will be executed, that remains to be seen.”

Maine’s Bureau of Consumer Credit Protection also announced Monday the publication of a booklet to help Mainers understand how to track their credit scores and access credit reports. Those interested in the booklet – the Downeaster Common Sense Guide: Credit Bureaus and Credit Reports – can order it for free by calling the bureau at (800) 332-8529 or downloading it from the bureau’s website.

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.