Kmart Latest Retail Chain to Disclose Payment Card Breach

Discount department store Kmart acknowledged on Friday that it fell victim to a “payment security incident” for most of September and some of October.

Kmart is the latest domino to fall in the seemingly endless streak of major retail chain breaches. The discount department store acknowledged on Friday that it fell victim to a “payment security incident” for most of September and some of October.

The store, which is operated by Sears Holdings Corp., claims its IT team discovered the breach last Thursday and subsequently contacted a “leading IT security firm” to investigate the incident further.

Alasdair James, Kmart’s President, disclosed the breach before the long holiday weekend, late Friday, in a letter published to its website.

In the letter James claims that the company’s payment data systems were infected with an unspecified “new form of malware”.

In the letter James claims that the company’s payment data systems were infected with an unspecified “new form of malware” that went on to compromise users’ credit and debit card numbers.

The company is insisting that customers’ personal information, debit card PIN numbers, email addresses, and Social Security numbers were not leaked in the breach. Customers who shopped on kmart.com are not expected to be at risk, either.

The store didn’t state exactly how many locations were implicated in the breach but many reports – including one by the BBC – believe that any customers that shopped at any of the chain’s nearly 1200 stores over the past five weeks or so is at risk.

Kmart has since removed the malware and contained the breach, it reports.

As is to be expected, the company is set to offer free credit monitoring protection, something that corporations that have been breached – and there have been a handful as of late, Home Depot, Target, Supervalu, etc. – usually do.

Just last week the restaurant chain Dairy Queen confirmed that nearly 400 of its stores were breached this summer via the Backoff malware and that customers’ payment card numbers, expiration dates and customer names had been compromised.

The Kmart breach couldn’t come at worse time for the Illinois-based company, which has fought to stay relevant in recent  years. The company filed for bankruptcy in the early 2000s and despite being rescued by Sears in 2005, it has continued to see a steep decline in sales nationwide. According to Credit Suisse, a global financial services company, Kmart is expected to pull in $12 billion this year, a far cry from the $36 billion it made in 2000.

 

Suggested articles

Discussion

  • Ulf Mattsson on

    We are getting used to hear that “data systems were infected with an unspecified ‘new form of malware’”. The good news is that Kmart was able to remove the malicious software from its systems, but the harm is already done by the malware so we need to be more proactive and protect the sensitive data that the malware is attacking. We know that malware tries to hide from its victims. For example, it may delete its icon so that it won’t be noticed. Even if the malware is detected it could be hard to notice in the noise from state of the art malware detection systems. The Target breach last year had this type of situation. Expect that you are breached and have malware in your systems. McAfee Labs researchers have analyzed the threats and seen a steady growth in malware. I suggest that all sensitive data should be protected when flowing through our computer systems. Data tokenization proved to be a cost effective approach to secure the sensitive data itself across the entire data flow. Recent studies reported that data tokenization can cut security incidents by 50 % compared to alternative data protection methods. Ulf Mattsson, CTO Protegrity

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.