Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Kmart Says Hackers Breached Payment System

Kmart Data Breach

Kmart Data Breach

[DEVELOPING STORY] – Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks that have resulted in the exposure of customer data and payment card information.

The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, sparking them to quickly initiate an investigation.

The company believes debit and credit card numbers have been compromised.

A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

“Our investigation to date indicates the breach started in early September,” the company said in a statement (PDF). “According to the security experts we’ve been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems. We were able to quickly remove the malware. However we believe debit and credit card numbers have been compromised.”

The company declined to comment on what security firm was conducting the investigation.

Kmart.com customers do not appear to be impacted, Kmart said.

The retailer said that it was working closely with federal law enforcement authorities, ibanking partners and other IT security firms as part of the ongoing investigation.

Advertisement. Scroll to continue reading.

Kmart, a wholly owned subsidiary of Sears Holdings Corporation, operated 1,152 locations as of Feb. 1 2014.

News of the Kmat data breach comes just one day after Dairy Queen confirmed that its payment systems were breached and infected with malware.

“Attackers have access to a range of custom POS malware these days designed to specifically steal card and magnetic track data from POS memory, which bypasses traditional data-at-rest encryption and perimeter controls,” Mark Bower, VP of product marketing at Voltage Security, told SecurityWeek on Friday. “Malware into the POS might come from direct network intrusion, or by subverting the POS software update and patch management system with an infected update. Once in, attackers can syphon off every transaction that customers swipe until its detected and removed.”

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.