Massachusetts-based Staples Inc., the parent company of Top 40 distributor Staples Promotional Products (asi/120601), has confirmed a malware intrusion led to recent credit card breaches at some of its retail stores. On Friday, the company announced the point-of-sale breaches may have affected about 1.16 million cards used by customers in 35 states.

“Staples Inc. is committed to protecting customer data and regrets any inconvenience caused by this incident,” the company said in a statement. “Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools.”

The malware, Staples acknowledged, would have been able to access customer data at 113 of its stores for purchases made between August 10 and September 16 of this year. At two other locations, customer data was susceptible between July 20 and September 16. Thieves may have stolen customers’ names, payment card numbers, card verification codes and expiration dates.

“Typically, customers are not responsible for any fraudulent charges on their credit cards that are reported in a timely fashion,” Staples said. “Staples customers who shopped at the affected stores during the relevant time periods should review their account statements and notify their card issuers of any suspicious activity.”

As part of its response to the breach, the retailer is offering free identity protection services, including identity theft insurance and credit monitoring, to affected customers. The breach, which was first suspected in September, is the latest in a string of attacks that have impacted large retailers including Target, Kmart, and Home Depot.