Staples revealed Friday the scope of a data breach that it announced in October.
The breach, which began as a malware attack at 115 stores, may have affected 1.16 million payment cards. The office supply chain operates 1,400 stores nationwide.
"Staples is committed to protecting customer data and regrets any inconvenience caused by this incident. Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools," the company said in a statement.
The malware may have allowed access to to cardholder names, numbers, expiration dates, and card verification codes from about July through September, depending on the store.
Staples published a list of affected stores. Affected customers are eligible for free credit and identify theft protection.
Gavin Stern is a national digital producer for the Scripps National Desk. Follow him on twitter at @GavinStern.