Dec 22, 2014 · 1 minute

Staples revealed on Friday that more than 1.1 million credit cards may have been stolen after 115 of its retail stores suffered a data breach between August and September. Other stores were targeted in July; four in Manhattan may have been affected as early as April.

The credit card information is thought to have been stolen via malware installed on the retailer's point-of-sale systems. Staples said it has "taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools" after the breach.

It's not clear if this means the company has upgraded to better encryption tools or if it previously allowed some payment information to be transferred without encrypting it. The latter would be unsurprising: companies have left payments data insecure before.

This breach is smaller than those at companies like the Home Depot and Target, which compromised 56 million and 40 million credit cards, respectively. That's likely to make Staples and the banks which issued the affected credit cards happy, as it should mean the breach's fallout won't be as bad as Target's, which cost banks at least $400 million.

Target might have to ease some of that damage. A District Court judge has ruled that both banks and consumers can sue the retailer because they "plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct." This means the company may have to cover the cost of issuing new credit cards and refunding fraudulent charges.

Staples is offering a free credit report, identity theft insurance, and credit monitoring to consumers who shopped at the affected stores when the breach was taking place. It has released a list of affected stores, but at the time of writing, the link to that list is broken.