Office supply chain store Staples has said the data breach at the company announced in October might have affected about 1.16 million payment cards.
In an update on the cyber attack, the company said its data security experts detected that criminals deployed malware to some point-of-sale systems at 115 of its more than 1,400 US retail stores.
Upon detection, Staples immediately took action to eradicate the malware in mid-September and to further enhance its security.
The company said the malware might have allowed hackers to access some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes.
The hacking attack might have affected customers who made purchases at the affected stores from 20 July through 16 September.
"Customers are not responsible for any fraudulent charges on their credit cards that are reported in a timely fashion," the company said in a statement.
The company added that it is offering affected customers free identity protection services, including credit monitoring, identity theft insurance and a free credit report.
"Staples is committed to protecting customer data and regrets any inconvenience caused by this incident. Staples has taken steps to enhance the security of its point-of-sale systems, including the use of new encryption tools," the company added.
Staples has been one of the US retailers recently hurt by hacking attacks. Other large retailers that suffered from similar attacks include Target, Sears Holdings and Home Depot.
US banking giant JPMorgan Chase and studio Sony Pictures Entertainment were also hit by sophisticated hacking attacks.