Hackers Gain Access to Staples Payment Data, as Home Depot Data Breach MDL Formed

About one year after a it was discovered that millions of Target customers had data stolen by hackers, stores continue to find themselves unable to protect customer credit card and purchasing information.

Last week, Staples, Inc. became the latest major chain impacted, announcing that hackers have stolen data on 1.16 million payment cards in recent months.

The Staples data breach affected 115 stores, involving the use of malware on the company’s point-of-sale systems. The company joins Neiman Marcus, Target, Kmart, and Home Depot among large retail victims of such hacking attempts.

Most of the hacks have been linked to foreign hackers who then sell customers’ payment data on the black market to those intending to use it for credit card fraud schemes, identity theft, and, in some cases, to fund terrorist operations.

So far, the scale of the Staples breach, which occurred between July and September of this year, but was only announced last week, is smaller than most of the other data breaches reported this year by large retailers. However, the company reports that it has received at least four reports of fraudulent payment card use linked to four stores in New York which were not believed to be targeted by the malware.

Like other stores affected by hackers, Staples is offering customers identity protection services and free credit reports.

One of the largest data breach to date appears to have occurred at Home Depot, which reported that information on 56 million customers’ credit and debit cards was stolen, as well as 53 million e-mail addresses. It was second only to the Target data breach, which affected twice as many customers.

A growing number of Home Depot data breach lawsuits are now being pursued over the incident by customers who say the company failed to take adequate steps to protect their information.

The hackers allegedly used a variant of the same malware that breached Target’s systems last year, which some say means Home Depot and all other major commercial companies should have been prepared to thwart.

On December 11, the U.S. Judicial Panel on Multidistrict Litigation (JPML) issued a transfer order (PDF) establishing a federal multidistrict litigation (MDL) for all class action lawsuits against Home Depot over the data breach lawsuits, centralizing the cases before U.S. District Judge Thonas W. Thrash, Jr. in the Northern District of Georgia for pretrial proceedings.

The complaints include lawsuits filed by both customers and financial institutions which had to take action to protect customers’ data and credit ratings, such as issuing new credit and debit cards. The JPML says the creation of a Home Depot MDL, or multidistrict litigation will eliminate duplicative discovery, prevent inconsistent pretrial rulings and conserve the resources of the parties, witnesses and the courts.

Similar consolidated proceedings were established for the Target litigation, with cases filed throughout the federal court system pending before U.S. District Judge Paul A. Magnuson in the District of Minnesota.

Last week, Judge Magnuson refused to throw out most of the class action lawsuits filed against Target over the data breach, which resulted in the theft of credit card and debit card information for 110 million customers.