American office supply retailer Staples took down some of its systems earlier this week after a cyberattack to contain the breach’s impact and protect customer data.
Staples operates 994 stores in the US and Canada, along with 40 fulfillment centers for nationwide product storage and dispatch.
The disclosure comes after multiple Reddit reports posted online since Monday reported various Staples internal operation problems, including an inability to access Zendesk, VPN employee portals, print email, use phone lines, and more.
Additionally, there are unconfirmed reports that Staples employees have been instructed to avoid logging into Microsoft 365 using single sign-on (SSO) and that call center employees have been sent home for two consecutive days.
BleepingComputer reached out to Staples asking about the validity of these reports, and the company confirmed that it was forced to take protective action to mitigate what it described as a “cybersecurity risk.”
The response measures disrupted Staples’ business operations, specifically the backend processing and product delivery.
“On November 27, Staples Inc.’s cybersecurity team identified a cybersecurity risk. We took proactive steps in an effort to mitigate the impact and protect customer data,” a Staples spokesperson told BleepingComputer.
“Our prompt efforts caused temporary disruption to our backend processing and delivering capabilities, as well as our communications channels and customer service lines.”
Stores open, online orders still disrupted
Staples stores are currently open and operational, but orders on staples.com may not be processed according to the standard timelines as related systems are still down.
“All of our systems are in the process of coming back online, and we expect to return to normal functionality in short order. We may experience slight delays in the interim but expect to ship all orders that have been placed,” the spokesperson added.
A similar notice was posted on Staples’s website, apologizing to visitors for the unexpected outage and promising a quick return to normal operations.
BleepingComputer has learned that no ransomware was deployed in the attack, and no files were encrypted.
However, encryptors are typically the final payload deployed in a ransomware attack. A quick response by Staples, including network and VPN shutdown, may have thwarted the attack before it reached its final stages.
In March 2023, Staples-owned distributor Essendant also experienced a multi-day outage that prevented customers and suppliers from placing or fulfilling online orders.
Almost three years earlier, in September 2020, the firm suffered a data breach that exposed sensitive customer and order information after hackers exploited a vulnerability on an unpatched VPN endpoint to gain access.