Staples Inc. says nearly 1.2 million customer payment cards may have been exposed during a security breach earlier this year.
The office supply retailer said in October that it was looking into a potential credit card breach, adding to a long list of retailers recently hit by cyberattacks.
Staples said Friday that an investigation shows that the criminals used malware that may have allowed access to information for transactions at 115 of its U.S. stores. That includes cardholder names, payment card numbers, expiration dates and card verification codes.
The Framingham, Massachusetts-based company is offering free identity protection services, including credit monitoring, to customers who might be at risk.
The security breach affected different stores at different times between July and September.