Staples Inc. confirmed Friday evening that about 1.16 million credit cards may have been hit in a major data breach. The culprit is malware that may have allowed access to transaction information including names of cardholders and their card numbers, expiration dates and verification codes, the big retailer said in a statement posted on its website.

The national office supply store chain said an internal investigation determined that “criminals deployed” the malware, which struck 115 of its 1,400 U.S. stores in August and September, according to the statement.

“Upon detection, Staples immediately took action to eradicate the malware in mid-September and to further enhance its security, the company wrote. “Staples also retained outside data security experts to investigate the incident and has worked closely with payment card companies and law enforcement on this matter.”

The company is also offering free identity protection services, including credit monitoring, identity theft protection and a free credit report to anyone who used a credit card at the affected stores during the period of the breach. The specific stores at risk and the dates during which purchases may have led to credit card data being compromised can be found here.

The breach at Staples is the latest in a series of major breaches at a number of large American retail chains, including Home Depot and Target.

Staples acknowledged last month that it was looking into a breach of some of its systems, but on Friday it confirmed it publicly and released details about its extent.

"The company is currently in the process of investigating a data security incident involving an intrusion into certain of the company's retail point-of-sale and computer systems," the company said in a November U.S. Securities and Exchange Commission filing, according to E Week.