Staples breachThe full extent of the Staples breach was revealed this past week, with the company posting a statement as well as a press release on its website. Although security blogger Brian Krebs reported that multiple financial institutions were complaining of payment card fraud that was connected to Staples nearly two months ago in October, the details of the security breach have only just now been released to the public. At the time this story broke, Staples provided no specific details, but confirmed that it had contacted law enforcement to investigate the issue. Now, the results of that investigation have been brought to light.

1.16 million customer cards were exposed

The results of an internal investigation between Staples and law enforcement determined that about 119 Staples stores across the U.S. suffered a malware attack that led to customer payment card data being stolen. The estimate is that a total of 1.16 million debit and credit cards were compromised — including customer names, payment card numbers, expiration dates and verification codes. Of the stores affected, Staples determined that 113 were vulnerable between August 10 and September 16, 2014 and two were vulnerable between July 20 and September 16, 2014. Additionally, four stores in Manhattan, NY were exposed for almost six months — between April and September. A full list of stores can be found in PDF format on the Staples website. Initially, it was reported that only stores in the Northeastern U.S. were affected, but the full list shows that this breach affected stores across the country.

What is Staples offering affected customers?

As per usual for big-box retailers, affected customers have been promised identity theft protection from ProtectMyID. A toll-free call center has been set up for anyone with questions to call. The hours for the call center are 9 a.m. to 9 p.m. ET Monday through Friday and 11 a.m. to 8 p.m. ET on Saturdays and Sundays. Additionally, Staples has stated that no customer will be held financially responsible for any fraudulent charges made in their name as a result of this security breach.

What can I do in the face of this Staples breach?

Although there’s nothing you can really do to stop your information from being stolen, since it was likely already breached, there are some proactive steps you can take to make sure anyone who has your information can’t do much with it.

1. Watch for suspicious activity on your payment card statements. Because it took almost two months for Staples to pinpoint which stores were affected and during which specific time frames, criminals have had a long time to obtain and use customer information. If you haven’t looked over your financial records recently, go back to the time period during the breach and look carefully at all transactions during and after that time. Be sure to report any fishy charges as soon as you catch them, as this is great way to stop a thief in their tracks. Going forward, it’s a good idea to always carefully scrutinize your statements if you don’t already.

2. Consider requesting a new payment card. If you shopped at a Staples sometime between April and September 2014, it may be prudent to request a new credit or debit card. When customer information is exposed in this manner, you can’t be certain that you are safe, even if your card hasn’t seen any suspicious activity. It might take some convincing to get a new card from your provider, but doing so will ensure that even if your information was stolen, it will be useless to any criminal that intends to use it.

3. Sign up for identity theft protection. Like so many retailers before it, Staples has offered free identity theft protection service to customers affected by the breach. ProtectMyID is the same service that Target offered to customers one year ago during its security fiasco. At the time, we wrote about why ProtectMyID might not be the best choice for people who are concerned about protecting their identity — and the same advice holds true now. The best identity theft protection services offer credit report monitoring from all three credit bureaus, which is something ProtectMyID lacks. It’s important to know what’s being reported on all three bureaus because not everything is reported to each one.

Learn more about identity theft protection and which of our top-rated services is the best choice for you.