Staples Confirms Breach; Home Depot Reports Breach Costs

In an SEC filing, Staples admitted it was the victim of a data breach. In its latest earnings report, Home Depot quantified its breach costs for the period.

retail security breaches

Staples can now officially be added to the growing list of retailers that have publicly admitted this year that their systems were attacked and customer data was breached.

In Staples 10-Q filing with the U.S. Securities and Exchange Commission (SEC), the company provided a few details about the attack against its systems. "The company is currently in the process of investigating a data security incident involving an intrusion into certain of the company's retail point-of-sale and computer systems," the Staples 10-Q states.

Staples has not identified how many stores or customers may be impacted by the data security incident. It's also unclear how Staples was attacked though the retailer does indicate in its 10-Q that malware was involved.

Retail point-of-sale (POS) malware has been a large threat in 2014. In July, the U.S. government first warned about Backoff malware, which is now thought to have impacted more than 1,000 retailers across the United States. Other POS malware that has impacted U.S. retailers includes FrameworkPOS and BlackPOS. In its 10-Q, Staples did not specifically identify the POS malware that it has eradicated from its systems.

At this point in the investigation, Staples has not yet put a price on the cost of its data security incident.

"It is reasonably possible that the company may incur losses in connection with the incident," the 10-Q states. "The company maintains network-security insurance coverage, which the company expects would help mitigate any material financial impact."

The cost of data breach incidents at retailers is one with only a few publicly disclosed figures at this point. Target, which was breached in a November 2013 incident, revealed in its second- quarter earnings report in August that its data breach-related costs were expected to be approximately $148 million.

Home Depot, also recently a victim of a data breach, first publicly confirmed that it was breached on Sept. 18 in an incident that affected 56 million credit cards.

On Nov. 18, Home Depot reported its third-quarter fiscal 2014 earnings, which included its breach-related costs. The pretax net expenses related to the data breach were reported at $28 million.

During Home Depot's earnings call with financial analysts, the company's CEO was asked about the impact of the breach.

"It's very difficult for us to be able to determine if there was any impact," Craig Menear, president and CEO of Home Depot, said. "We were very, very pleased with the fact that we had positive transaction growth in each month during the quarter, and I think that represents strength for our customers, confidence in the Home Depot and we appreciate that."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.