Staples is the latest company to have a data breach due to hacked POS software.

The data breach may have affected roughly 1.16 million payment cards. The affected stores cover 35 states from California to Connecticut. Staples has 1,400 stores.

The malware was removed in mid-September; Staples confirmed the breach in October.

The malware may have allowed access to transaction data including cardholder names, payment card numbers, expiration dates, and card verification codes, for purchases made between Aug. 10 and Sept. 16, according to a statement from Staples.

Staples is offering free identity protection services, including credit monitoring, identity theft insurance, and a free credit report, to any customer who used a payment card at any of the affected stores during the relevant time periods.