The office supply store Staples and Michaels craft stores were both hit by data breaches in 2014, joining a growing list of companies hit by point of sale malware attacks. It would appear both retailers were hit by identical criminal infrastructure, with the malware targeting debit and credit card data captured on POS machines at checkout. The malware that hit Staples was connecting to the same control networks as the malware that hit Michaels - and it wouldn't be surprising if the same cybercriminal group was behind the incident.
"We are continuing to investigate a data security incident involving an intrusion into some of our retail point of sale and computer systems," said Mark Cautela, Staples spokesman, in a statement to KrebsOnSecurity. "We believe we have eradicated the malware used in the intrusion and have taken steps to further enhance the security of our network."
The volume of data breaches in 2013-2014 indicate these attacks are likely being orchestrated by state-sponsored hackers, and trying to prevent these incidents has proven difficult.