Photo

In the latest hacking of American retailers and restaurants, Staples said on Tuesday that its computer systems were compromised in an intrusion involving customers’ credit- and debit-card information.

Staples, the office supplier based in Framingham, Mass., said it was working with law enforcement agencies to determine the extent of the problem. The company did not say when the attack occurred or in which stores, or how many payment cards might have been affected.

“We take the protection of customer information very seriously and are working to resolve the situation,” Mark Cautela, a Staples spokesman, said in a statement.

This month, Sears Holdings Corporation reported a data breach at its Kmart stores. Other recent breaches at retailers have affected Target, Supervalu, Home Depot, Sally Beauty Supply, Neiman Marcus, United Parcel Service, Michaels Stores and Albertsons, as well as the food chains Dairy Queen and P. F. Chang. Each company had its in-store payment systems compromised by malware over the last year.

The Secret Service estimated this summer that 1,000 American merchants had been affected by this kind of attack, and that many of them might not even know that they were breached, particularly because the so-called malware the criminals used was specifically created to evade standard antivirus defenses. There have been no arrests.

In each case, criminals scanned for tools that typically allow employees and vendors to work remotely, then used those tools to install malware on retailers’ systems. That malware, in turn, fed back customers’ payment details to the hackers’ computer servers.

The same group of criminals in Eastern Europe is believed to be behind the earlier attacks, according to several people with knowledge of the results of forensics investigations who spoke on the condition of anonymity because of nondisclosure agreements.

The entry point for each breach has differed, according to law enforcement officials. At Target, it was thought to be a Pennsylvania company that provided heating, air-conditioning and refrigeration services to the retailer. Criminals were able to use the company’s login credentials to gain access to Target’s systems and eventually to its point-of-sale systems.

Studies have found that retailers, in particular, are unprepared for such attacks. A joint study by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that a majority of computer security experts in the United States believed that their organizations lacked the technology and tools to detect database attacks quickly.

Only one-third of those experts said they did the kind of continuous database monitoring needed to identify irregular activity, and another 22 percent acknowledged that they did no scanning at all.

Staples said customers would not be responsible for any fraudulent activity on their credit cards “that is reported on a timely basis.”

Security experts say such breaches are now the norm.

“This latest breach demonstrates that criminal hacking organizations have much better collaboration and information sharing practices than our major retailers,” said John Gunn, a vice president at Vasco Data Security. “In the past, mega-breaches were isolated events, but now, with well-developed secondary markets for hacking tools and techniques, multiple hacking organizations can execute similar attacks simultaneously or in rapid succession.”

The attacks, Mr. Gunn said, are “still in the upper echelon; the next step will be the thousands of midsize and regional chains.”

The only way companies will be able to stop such attacks from harming customers, security experts say, is to move quickly to the new chip-based payment standard known as E.M.V., short for Europay, MasterCard and Visa, the technology’s first backers. The technology makes it harder for criminals to use stolen account information to make purchases or create counterfeit cards.

Merchants have been slow to adopt the standard because it requires that they write thousands of lines of new software code and deploy it on thousands of PIN pads in their stores.

Some companies, like Walmart, have been quick to adopt the standard before the October 2015 deadline pushed by payment companies. Others were slow to adopt the standard until the Target breach last year.