Office-supply retailer Staples Inc said about 1.16 million payment cards might have been affected by the data breach announced in October.
An investigation by external data security experts showed that criminals deployed malware to some point-of-sales systems at 115 U.S. stores, Staples said.
The company said it has since eradicated the malware.
Staples, which has more than 1,400 stores in the country, said the malware might have allowed access to some transaction data, including cardholder names, payment card numbers, expiration dates, and card verification codes.
At 113 stores, the malware may have allowed access to data for purchases from Aug. 10 through Sept. 16. At two stores, the access may have been for purchases from July 20 through Sept. 16.
The investigation also reported some fraudulent payment card usage related to four Manhattan stores, but those did not have malware.
Staples became the latest U.S. retailer to combat security data breaches after Sears Holdings Corp said in October it was the victim of a cyberattack that likely resulted in the theft of some customer payment cards at its Kmart stores.
Shares of Staples have jumped 40.85 percent since Oct. 21, when the company announced the investigation.