The attackers that stole payment card information from consumers of Texas-based arts and crafts store chain Michaels and international office supply chain store Staples are likely the same ones.
According to information received by Brian Krebs, the malware found in Staples stores and the one found in Michaels communicated with the same C&C networks.
And while it’s possible that these networks have been rented, it’s also very unlikely, as creating them from scratch is easier and cheaper.
The Michaels breach – actually, two breaches: one at its Aaron Brothers stores and the other at Michaels stores – took place between May 8, 2013 and February 27, 2014, and it is believed that the attackers managed to impact around 3 million payment cards via compromised POS systems.
Rumours of a Staples breach have been circulating since late October, and according to information shared by banks, it seems that the cash registers at a number of Staples stores were compromised between July and September 2014. According to sources close to the investigation, some 100 Staples stores were hit.
Staples spokesman Mark Cautela confirmed that they are investigating, in conjunction with law enforcement, a “data security incident” that affected some of their stores. “We believe we have eradicated the malware used in the intrusion and have taken steps to further enhance the security of our network,” he said.