Though the data breach was known, the long length of the attack is shocking. Here, you can find out what the average length of a cyber attack is. Hint: it’s way longer than okay.

Featured Image Credit: Anthony92931 / Creative Commons

In a previous blog post, we cited a Krebs on Security report that pointed to a possible data breach at Staples, which at the time the company referred to as “a potential issue.”

Fast forward a bit, and while it’s frankly not surprising that a statement posted by Staples (SPLS) on its website is now confirming the data breach, the duration of the campaign is going to alarm many shoppers — and prompt some fundamental questions about cyber security at the giant retailer.

In the December 19, 2014 statement, Staples confirmed the following:

• Bad actors deployed malware to Point-of-Sale (PoS) systems at 115 stores (a full list of affected stores and infection dates are available in this PDF).
• Data from 1.6 million payment cards may have been stolen, including card numbers, card verification codes, cardholder names, and card expiration dates.
• Customers who used a payment card at 113 of the affected stores from August 10, 2014 through September 16, 2014 may have had their data stolen.
• Customers who used a payment card at the other two affected stores between July 20, 2014 and September 16, 2014 may have had their data stolen.
• During its data breach investigation, Staples received reports of fraudulent payment card use related to four stores in the Manhattan, New York area from April 2014 through September 2014.

And in what is fast becoming standard boilerplate material on these kinds of data breach statements (such as these incidents from Kmart, Home Depot, and UPS), Staples noted that it is offering free identity protection and credit monitoring services to customers potentially affected by the data breach.

While news of a data breach at yet another retailer isn’t quite the shocking revelation that it was in the pre-Target world, an analysis by Seculert’s CTO Aviv Raff (which is also featured in a new blog post by Brian Krebs) found that bad actors were in the Staples network for a whopping 182 days — or 6 months!

Image Credit: Seculert

Raff also analyzed that the average time for an affected store to detect and respond to the data breach was 40 days, with the shortest being 37 days and the longest being 181 days.

Much like previous attacks, the prolonged Staples data breach once again demonstrates that enterprises — whether they sell office supplies, or provide any other product or service — cannot exclusively depend on their breach security technologies and products (e.g. anti-virus software, firewalls, secure web gateways, etc.) to prevent an attack.

Instead, they must shift their approach and deploy technology that detects and responds to a data breach as early as possible, and much sooner than six months. Otherwise, the only thing bad actors will need to worry about is using up the batteries in their “easy button,” as they keep smacking it over and over to celebrate yet another extended and lucrative data breach.