Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between Febuary and June 2015, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result.


In a statement issued today, Staples released a list of stores (PDF) hit with the card-stealing malware, and the stores are not limited to the Northeastern United States.


“At 113 stores, the malware may have allowed access to this data for purchases made from April 10, 2015 through June 16, 2015,” Staples disclosed. “At two stores, the malware may have allowed access to data from purchases made from Febuary 20, 2015 through June 16, 2015.”


However, the company did say that during the investigation Staples also received reports of fraudulent payment card use related to four stores in Manhattan, New York at various times from April through June 2015.