Kmart Says Payment Cards Breached'New Form' of Malware Evaded Anti-Virus Systems
(Updated with expert commentary on Oct. 12.)
The breach was detected by Kmart's IT team on Oct. 9, which immediately led to a full investigation with the help of a leading IT security firm, the company says in an Oct. 10 statement. Kmart is owned by Sears Holdings Corp., headquartered in Hoffman Estates, Ill.
Compromised information includes debit and credit card numbers. Based on the forensic investigation to date, no personal information, debit card PINs, e-mail addresses or Social Security numbers were obtained by the hackers. Kmart also says there's no evidence that its kmart.com customers were impacted by the breach. A Kmart spokesperson told Information Security Media Group that the retailer is not at this time disclosing any details about the quantity of payment cards that may have been compromised.
The malware used in the attack was undetectable by current anti-virus systems, the company says.
"This data breach has been contained and the malware has been removed," Alisdair James, Kmart president and chief member officer, says. "I sincerely apologize for any inconvenience this may cause our members and customers."
Customers who shopped with a credit or debit card in Kmart stores during the month of September through Oct. 9 will be offered free credit monitoring protection, the company says.
Kmart says it's working closely with federal law enforcement authorities, its banking partners as well as security experts in its ongoing investigation.
Kmart operates a total of 1,221 stores across 49 states, Guam, Puerto Rico and the U.S. Virgin Islands, as of February 2013, according to the company's website.
Reacting to this latest announcement, Al Pascual of Javelin Strategy and Research is encouraged by Kmart's prompt breach notification.
"It is nice to see that they detected the breach and disclosed it to the public within a month," he says. "And while it is a simple thing, I'm also rather encouraged by the language that was used in the notification specifically around the liability of affected cardholders - in that they have zero liability for fraud as long as they report suspected fraud immediately."
Pascual does offer a cautionary word for consumers: "Kmart's advisement to victims that they closely monitor their accounts is on point, but they are fostering a false sense of security by providing credit monitoring, which is largely ineffective in preventing fraud on existing card accounts."