Cyber Incident Victim: Staples

In early September 2020, Staples experienced unauthorized access to a system handling customer order data for its Staples.com operations. The incident occurred around September 2, though the company did not publicly disclose the breach at the time. Staples CEO Alexander 'Sandy' Douglas notified affected customers individually via email, confirming that an unauthorized party had accessed "a limited amount" of order information. The compromised system specifically involved data from Staples.com customers, with indications that the Canadian division's website remained unaffected. While the investigation was ongoing, Staples confirmed the breach exposed non-sensitive customer order details but emphasized that full payment card information and account credentials remained secure.

The exposed data potentially included customer names, physical addresses, email addresses, phone numbers, the last four digits of credit cards, and specific order details such as delivery information, product descriptions, and transaction costs. Staples acknowledged this information could facilitate targeted scams through email or phone calls despite lacking full financial credentials. The company established a dedicated phone line for breach inquiries, directing customers to select option 3 for assistance. No evidence suggested unauthorized purchases occurred using the compromised data. This marked Staples' first significant security incident since its 2014 point-of-sale system breach affecting 115 U.S. retail locations. The company had not released further technical details about the intrusion vector, containment measures, or exact number of impacted customers by the time external reports surfaced.