Staples has contacted law enforcement authorities and is working to resolve the matter, according to Mark Cautela, a spokesman for the Framingham, Massachusetts-based company.
“If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis,” he said in an e-mail.
The potential data theft adds to a wave of breaches at companies such as Home Depot Inc., Target Corp., Sears Holdings Corp.’s Kmart chain and Neiman Marcus Group Ltd. that have put pressure on retailers to bolster security. The Staples incident, reported earlier by independent journalist Brian Krebs, may involve the theft of card information from Staples locations in the Northeast.
Staples declined 1.1 percent to $12.17 at 9:55 a.m. in New York. The shares had dropped 23 percent this year before today, compared to a gain of 3 percent for the Standard & Poor’s 500 Index.
At least three stores in New York, seven in Pennsylvania and one in New Jersey may have been targeted, according to unidentified officials at banks in the East Coast cited by Krebs, who investigates hacker attacks. The fraudulent charges occurred at other businesses such as supermarkets, indicating that cash registers in at least some store locations may have fallen victim to card-stealing malware, Krebs reported yesterday.
The data-breach probe comes as Staples grapples with a broader retail slump and increased competition from online rivals. In August, the company announced it will shut about 140 locations this year as part of a plan to streamline its operations.
Staples shut 80 outlets in North America in the fiscal second quarter. Net income last quarter dropped 20 percent to $82 million, or 13 cents a share, as $101 million was spent on closing locations, the company reported in August.
Expansion by Web-based rivals such as Amazon.com Inc. has spurred reorganizations across the retail industry, including the merger of Office Depot Inc. with OfficeMax Inc.