Image: Stan Zemanek (CC BY-SA 3.0)
American office supply retailer Staples took down some of its systems earlier this week after a cyberattack to contain the breach’s impact and protect customer data.
Staples operates 994 stores in the US and Canada, along with 40 fulfillment centers for nationwide product storage and dispatch.
The disclosure comes after multiple Reddit reports posted online since Monday reported various Staples internal operation problems, including an inability to access Zendesk, VPN employee portals, print email, use phone lines, and more.
“Everything is still down. I work in store and we have no access to email, bizfit, pogs, ehelp desk. DM said they were fixing it over night last night but obviously nothing was fixed,” a Staples employee commented on Reddit.
“This is nuts. I’ve never seen anything like this in my 20 years with Staples,” said another employee.
Additionally, there are unconfirmed reports that Staples employees have been instructed to avoid logging into Microsoft 365 using single sign-on (SSO) and that call center employees have been sent home for two consecutive days.
BleepingComputer reached out to Staples asking about the validity of these reports, and the company confirmed that it was forced to take protective action to mitigate what it described as a “cybersecurity risk.”
The response measures disrupted Staples’ business operations, specifically the backend processing and product delivery.
“On November 27, Staples Inc.’s cybersecurity team identified a cybersecurity risk. We took proactive steps in an effort to mitigate the impact and protect customer data,” a Staples spokesperson told BleepingComputer.
“Our prompt efforts caused temporary disruption to our backend processing and delivering capabilities, as well as our communications channels and customer service lines.”
Stores open, online orders still disrupted
Staples stores are currently open and operational, but orders on staples.com may not be processed according to the standard timelines as related systems are still down.
“All of our systems are in the process of coming back online, and we expect to return to normal functionality in short order. We may experience slight delays in the interim but expect to ship all orders that have been placed,” the spokesperson added.
A similar notice was posted on Staples’s website, apologizing to visitors for the unexpected outage and promising a quick return to normal operations.
BleepingComputer has learned that no ransomware was deployed in the attack, and no files were encrypted.
However, encryptors are typically the final payload deployed in a ransomware attack. A quick response by Staples, including network and VPN shutdown, may have thwarted the attack before it reached its final stages.
Only time will tell if data was stolen while the threat actors had access to Staple’s network. If data was stolen, we will likely see the hackers attempt to extort Staples into paying a ransom by threatening to publicly leak the data.
In March 2023, Staples-owned distributor Essendant also experienced a multi-day outage that prevented customers and suppliers from placing or fulfilling online orders.
Almost three years earlier, in September 2020, the firm suffered a data breach that exposed sensitive customer and order information after hackers exploited a vulnerability on an unpatched VPN endpoint to gain access.