The data breach of retailer photo processing sites managed by a Staples-owned third-party vendor could be a costly affair.

Forget Staples' (SPLS) merger with Office Depot getting new scrutiny from antitrust regulators that could derail the deal. The office supplies retailer has another time bomb ticking away on its balance sheet that's just as serious, and could be ready to detonate.

PNI Digital Media is the third-party photo processing service for retailers like Costco, CVS Health (CVS 0.47%), and Wal-Mart whose database of customer account information was hacked this past summer. It caused the retailers to scramble to take down their sites and warn customers that their credit card information may have been compromised.

Despite initial expectations that the service would be restored quickly, full functionality has been delayed, and CVS updated its notice the other day to confirm that there was "an illegal intrusion into PNI's system that potentially resulted in the unauthorized acquisition of data entered by certain users on CVSPhoto.com."   

The problem for Staples is that it bought PNI Digital Media for $67 million last year. It undoubtedly seemed like a simple way to generate additional incremental revenue at a time when sales of paper, pencils, and copies were still sluggish, but the hack may have turned the acquisition into a major liability.

A roster of big customers
The breach was first reported in July by web security site Krebs on Security, which noted CVS had taken down its website soon after Walmart Canada had similarly warned that data from its site had been compromised after its third-party vendor was attacked. Krebs reported PNI Digital Media had listed CVS, Wal-Mart, and Costco as customers on its site, but soon scrubbed all mention of them as news of the attack spread. Like dominoes falling, other retailers began warning their customers of the breach as well.

Although the full extent of the damage wrought by the hack is still unknown, Staples is preparing for the worst. In last quarter's earnings report, the office supplies retailer said the costs associated with the attack aren't material to its finances yet, but it expects that losses in the future are probable and "may be material to our results of operations and financial condition."

The question for investors is just how "material" it could get.

Some of the biggest retailers partnered with Staples' photo processing service, PNI Digital Media. Image source: m01229.

It's not going to be cheap
One study suggests it might not be much, as many companies reporting breaches have said that actual expenses amounted to less than 1% of annual revenues. But others say it could get very pricey indeed.

According to an annual study by IBM and the Ponemon Institute of data breaches, the average cost to a company was $170 per record last year, a 7% increase over 2013. But that's globally. In the U.S., the cost is $217 per record, up from $207 the year before. It also depended on the type of industry that was hacked (retail saw the most dramatic increases in costs, up 57% year over year) and how many records were compromised. 

Target's (TGT -0.67%) massive credit card breach in 2013, that it's still getting out from under, has so far cost it $264 million in cumulative expenses, though they've been offset by $90 million in reimbursements from its insurance policies, for a total of $174 million. 

That's a mere pittance since it earned $2.5 billion on continuing operations last year, but there are more costs to come. Earlier this year, Target settled, for $10 million, a number of class action lawsuits related to the breach, and just a few weeks ago, it settled a lawsuit brought by Visa (V -1.70%) for $67 million. 

But only a few days ago, a federal judge certified another class action lawsuit that was brought by banks affected by the breach, and it failed to get enough financial institutions to sign up for the settlement it had reached with MasterCard (MA -1.20%)

According to the Congressional Research Service, Target could be also liable for as much as $1.1 billion in fines from the Payment Cards Industry Council based on the amount of fraudulent charges made with compromised cards (though others say it could be as little as $240 million).

Home Depot (HD -1.44%), which suffered an even bigger breach than Target last year, has so far incurred $232 million in expenses related to it, $100 million of which has been reimbursed by its insurers. Still, expenses remain ongoing, and it's apparently reached the limits of its liability policies.

Cut the red or blue wire?
So, for Staples, which recorded just $135 million in GAAP operating earnings last year, it's easy to see why, even though the expenses for Target and Home Depot weren't considered material to their financial health, the office supplies company is saying the risk to its own operations may be substantial.

Despite the discovery of the breach being some 2 months old now, there's really not much information available regarding the extent of the damage the breach at CVS, Costco, Wal-Mart, and the others -- or its breadth. But because of PNI Digital Media's extensive customer list, it remains a situation that could blow up in Staples' face just as its merger effort implodes.